
COUNCIL CONSEIL 
OFEUROPE DEL'EUROPE 



Special Assessment of the 
Effectiveness of Customer Due 
Diligence Measures in the Banking 
Sector in Cyprus 



Report produced by a team of international experts under the auspices of the 
Committee of Experts on the Evaluation of Anti-Money Laundering Measures 
and the Financing of Terrorism (MONEYVAL) in response to a request by the 
President of the Eurogroup Working Group 



24 April 2013 

This document is strictly confidential and is intended for the sole use by the Central Bank of Cyprus, the Minister of 
Finance of Cyprus, the European Commission, the European Central Bank and the International Monetary Fund. No 
part of this document may be translated, reproduced or transmitted, in any form or by any means, electronic (CD- 
Rom, Internet, etc) or mechanical, including photocopying, recording or any information storage or retrieval system 
without prior permission in writing from the MONEYVAL Secretariat, Directorate General of Human Rights and 
Legal Affairs, Council ofEurope (F-67075 Strasbourg or dghl.moneyval@coe.int). 



Strictly Confidential 



A. EXECUTIVE SUMMARY 3 

Background information 3 

Key findings 3 

Methodology 5 

The nature of the business and main vulnerabilities 5 

Preventive measures and recommendations 7 

B. ASSIGNMENT 12 

C. SCOPE AND METHODOLOGY 14 

D. THE BANKING SECTOR AND INTERNATIONAL BUSINESS IN CYPRUS 18 

The Banking Sector 18 

International Business 19 

Trust and Company Services and Business Introducers 21 

Companies 22 

E. FINDINGS AND RECOMMENDATIONS 24 

Introduction 24 

Structure and status of AML/CFT compliance within the banks 24 

Governance issues: the role of banks' Boards in determining ML/TF risk policy 25 

AML/CFT Risk Policy 25 

Role of internal audit and group compliance (where applicable) 27 

Identification measures 27 

Verification measures 27 

Identification and verification of beneficial ownership 29 

Client Acceptance - economie and financial rationale for conducting business in/through Cyprus 31 

Higher risk categories of customers 32 

Information on the purpose and intended nature of the business relationship 39 

Ongoing monitoring 39 

Politically Exposed Persons 41 

Correspondent banking 42 



1 IPage 



Strictly Confidential 



Wire transfers 42 

Record-keeping measures 43 

Suspicious activity reporting 44 

Staff training on AML/CFT 46 

F. CONCLUSIONS 47 

G. RECOMMENDED ACTION PLAN 49 

GLOSSARY 52 

ANNEX 1 56 

ANNEX 2 57 

ANNEX 3 58 

ANNEX 4 61 

ANNEX 5 64 

ANNEX 6 67 

ANNEX 7 73 

ANNEX 8 74 

ANNEX 9 75 



2IPage 



Strictly Confidential 

A. EXECUTIVE SUMMARY 



Background information 

1. MONEYVAL accepted the invitation of the President of the Eurogroup Working Group to 
conduct an assessment of whether Customer Due Diligence (CDD) measures are implemented 
effectively within the Cypriot banking sector. The assessment was conducted between 19 and 
29 March 2013. This evaluation is unique as no other jurisdiction has hitherto submitted to 
such an exceptional and focussed Anti-Money Laundering and Combating Financing of 
Terrorism (AML/CFT) evaluation covering the effectiveness of one part only of its 
AML/CFT system. This assessment is largely interview-based and has not been verified by 
access to customer data or files in the banks. 

Key findings 

2. Substantial international business, which is mainly tax-driven, is conducted in and through the 
Cypriot banking sector. Such international business involves various features such as complex 
corporate structures, cross-border transactions with counter-parties in various jurisdictions, 
introduced business, the use of nominee shareholders/directors, trusts, cliënt accounts and 
cash-collateralised loans. These features are inherently vulnerable to misuse for money 
laundering (ML) and financing of terrorism (FT) purposes and pose the highest ML/FT risk to 
the banking sector in Cyprus. 

3. In general, the banks interviewed demonstrated high standards of knowledge and experience 
of AML/CFT issues, an intelligent awareness of the reputational risks they face and a broad 
commitment to implementing the customer due diligence (CDD) requirements set out in the 
law and in subsidiary regulations issued by the Central Bank of Cyprus (CBC). 
Implementation of CDD measures, as described by the banks, appeared strong under most 
headings. However, a range of shortcomings with the potential to undermine the effectiveness 
of CDD was identified in many of the banks interviewed. In one bank the assessors had 
particular concerns about the overall effectiveness of their CDD procedures. This report 
focuses mainly on the risks and shortcomings identified and includes recommendations for 
remedial action. 

4. A large part of the international business is introduced to banks by professionals and trust and 
corporate service providers, the latter known in Cyprus as Administrative Service Providers 
(ASPs). The banks therefore place significant reliance on the business introducers in Cyprus 



3 IPage 



Strictly Confidential 



or other countries to certify the authenticity of many of the documents provided for CDD 
purposes and to perform some other elements of CDD. It is the assessors' view that reliance 
on introducers constitutes one of the largest areas of vulnerability for the banking sector in 
Cyprus. Given the significant role played by introducers in attracting international business to 
Cyprus, it was noted with concern that one of the categories of introducers (ASPs) although 
made subject to regulation is not yet supervised in practice for compliance with AML/CFT 
requirements and the supervision of the other categories of introducers (lawyers and 
accountants) needs to be strengthened further. 

5. All banks have procedures in place to determine the identity of the beneficial owner 
controlling the customer. In those cases where the customer is introduced, the identity of the 
beneficial owner is typically presented to the bank as part of an overall package of CDD 
documentation provided by the introducer. However, banks remain in many cases one or 
more steps removed from direct contact with the beneficial owner, still more where chains of 
introducers are used. In such cases, banks should implement the highest level of enhanced 
CDD, which could include (as indicated by some banks in Cyprus as already their practice in 
high risk cases) direct contact with the ultimate beneficial owner in a larger number of cases. 

6. None of the banks could point to the existence of an overall AML/CFT risk assessment 
conducted at the level of and specific to the individual bank which could be used to determine 
the risk appetite of the bank across the whole range of its potential business lines. 
Additionally, in a significant number of banks their compliance function is not always 
adequately consulted in the acceptance of high risk customers. These findings, in 
combination, constitute material deficiencies in light of the level of high risk international 
business being conducted in the banking sector. 

7. Some of the banks interviewed maintain business with a significant number of politically 
exposed persons (PEPs). The measures being applied to PEPs are not yet fully effective in 
some of the banks interviewed in respect of measures to determine the source of wealth of 
PEPs, identifying family members and close associates of PEPs and identifying a customer 
who subsequently becomes or is found to be a PEP. 

8. Various banks appear not to obtain sufficiënt information to create a meaningful economie 
and business profile of the customer and beneficial owner at the inception of a business 
relationship. This may undermine the effectiveness of ongoing monitoring carried out in the 
course of the relationship. 



4 I P a g e 



Strictly Confidential 



9. The substantial number of alerts generated by automated ongoing monitoring systems on high 
risk accounts appears to be disproportionate to the number of staff managing such alerts. As a 
consequence, insufficiënt consideration may be given to these alerts before being cleared. Not 
many suspicious activity reports (SARs) appear to have been made as a result of ongoing 
monitoring, which may call into question the effectiveness of the current monitoring systems. 

10. Although tax incentives are important in attracting business to Cyprus, the assessment team 
was advised that not many SARs are submitted by banks in relation to tax-related suspicions 
of ML. Notwithstanding the fact that, as a result of a recent amendment, certain tax crimes 
(including tax evasion) are now predicate offences for ML, many banks interviewed are either 
unaware or unclear about the full implications of such changes. 

11. Overall, therefore, the assessors are concerned that the combination of a number of features 
associated with international banking business (e.g., introduced business plus complex 
structures plus use of nominees) may in higher-risk cases bring the cumulative level of 
inherent risk beyond a level that is capable of being effectively mitigated by the CDD 
measures currently being applied. 

Methodology 

12. The MONEYVAL team selected 13 of the 41 banks for interview. This is a much larger 
sample of banks than would be interviewed in a regular MONEYVAL (or FATF) evaluation. 
The banks interviewed represent 71 per cent of the deposits and 76 per cent of the loans in the 
banking sector. The coverage included the 7 largest banks operating as at the 31 December 
2012 and other banks identified by the CBC as having significant international business 

The nature of the business and main vulnerabilities 

13. Cyprus has been marketing itself in recent years with considerable success as an international 
banking sector. The nature of the international business conducted includes acting as a 
conduit for flows into and out of Cyprus for which there is often no underlying business 
activity within the Cypriot economy - in effect offshore business. It is clear that the levels of 
international banking business conducted in/through Cyprus have, at least until recently, been 
substantial and have grown materially in the period 2010-2012. In many ways the business 
carried out in Cyprus with non-residents is not intrinsically different from international 
business conducted by numerous other jurisdictions. 



5 IPage 



Strictly Confidential 



14. The rationale for much of the international business conducted appears to be tax driven, 
largely arising from the wide range of doublé tax treaties (DTAs) entered into by the Cypriot 
authorities. Although other countries are also active in negotiating DTAs, cultural ties and 
historical factors are offered by the Cypriot authorities to explain why they have been 
particularly successful in attracting business from Russia. Foreign interest generally in Cyprus 
is also attributed to the fact that the Cypriot legal system is based on English law, and 
provides access to Common Law structures for the protection of wealth, unavailable in home 
jurisdictions. 

15. Significant levels of international business involve the setting up of Cypriot companies. At 
the end of February 2013, 270,741 companies were included on the register, 56,815 of them 
being registered since the start of 2010. While no statistics are available, it is thought that the 
majority of companies formed in Cyprus for non -Cypriot residents in recent years have been 
formed for Russian persons. 

16. Cyprus international business also commonly involves the setting up of a range of complex 
corporate structures, with different layers of entities situated in multiple jurisdictions and 
cross border transactions involving counterparties spread across different parts of the world. 
These structures frequently contain one or more features, each of which individually is 
classified by the Financial Action Task Force (FATF) as potentially high risk. Such features 
frequently include the use of nominee shareholders/directors, trust and cliënt accounts, and 
occasionally include legal entities with (non-Cypriot) bearer shares and the provision of cash 
collateralised loans. 

17. It is estimated that 75 per cent of international business is introduced by Cypriot introducers 
(sometimes involving chains of introducers from outside Cyprus) rather than sourced directly. 
These introducers are typically lawyers and accountants, who are regulated by their 
professional bodies for AML/CFT purposes and also ASPs, who were unregulated in Cyprus 
until very recently. The assessors noted that most introducers also provide trust and corporate 
services. This can involve the banks placing significant reliance on the business introducers in 
Cyprus or other countries to certify the authenticity of many of the documents provided in the 
CDD process and to collect information required in the course of ongoing monitoring. 
Although reliance is an acceptable mode of satisfying CDD requirements, in some cases this 
may exposé the banks to the risk of using false documentation or leave them exposed should 
there be subsequent changes in ownership or control of the entities without their knowledge. 
The assessors are of the view that Cypriot banks' reliance on introducers represents one of the 
largest areas of vulnerability for them. 



6 I P a g e 



Strictly Confidential 



Preventive measures and recommendations 

18. The Cypriot authorities have taken a range of legislative measures, in line with FATF and 
European Union standards, to minimise the risk of abuse for ML/FT purposes. Basically 
sound preventive requirements have been in place for several years at the levels of customer 
identification, identification of beneficial owner, record-keeping and reporting of suspicious 
activities. These requirements are set out in primary legislation (the Prevention and 
Suppression of Money Laundering and Terrorist Financing Laws of 2007 and 2010 as 
amended) and in secondary legislation (the Directive issued by the Central Bank of Cyprus 
(CBC) to banks (the CBC Directive)). The banks explained how they implement the 
obligations in the CBC Directive to obtain all the documents needed to adequately comply 
with CDD requirements. It was noted that the banks have sy sterns in place to monitor high 
risk business on an ongoing basis. CDD in the banking sector is also subject to a programme 
of inspections by the CBC. 

19. In general, bank managements appear conscious of AML/CFT risks and supportive of strong 
preventive measures, including, where warranted, the rejection of some high risk business 
and/or closing of existing accounts. Though few banks were able to provide firm statistics, the 
assessors concluded that a small but steady number of clients are formally rejected, with the 
most common reason being unwillingness to provide requested information. The assessors 
were frequently told that, in deciding whether to accept new business, emphasis was placed 
on the economie and financial rationale for conducting the business through Cyprus. This 
was, however, rarely presented to the assessors as an example of reasons for specific business 
being refused. A number of banks interviewed mentioned that the banks' compliance function 
had been granted a casting vote in decisions to reject new higher-risk business. In some 
Cyprus banks higher risk business can only be accepted with the prior approval of the 
compliance department. However, in a significant number of banks it appeared that 
compliance is involved in these decisions only where there is a query from the relationship 
manager. The assessment team considers that banks should review their policies and 
procedures for accepting higher risk customers and, where not already the case, ensure that 
ML/FT risk issues are taken fully into account. This process should involve the expertise of 
the compliance function in an enhanced advisory role. Banks should also ensure that their 
compliance functions are adequately resourced, in particular to facilitate effective ongoing 
monitoring. It would also be valuable, for the banks' own risk management purposes, to 
record rejected business more systematically, with particular emphasis on reasons for 
rejection. 



7 IPage 



Strictly Confidential 



20. In all cases banks interviewed confirmed that they have Board-approved AML/CFT policy 
statements, though there were material variations in their scope and content. In the small 
number of cases in which the assessors had the opportunity to review the broad content, they 
appeared to be comprehensive and generally to reflect the CBC Directive. While all banks 
interviewed apply risk assessments and classify customers into different risk categories, none 
of the banks interviewed could point to the existence of any overall AML/CFT risk 
assessment conducted at the level of and specific to the individual bank. In a jurisdiction 
where banks are conducting substantial amounts of business classified as potentially high risk 
by the FATF, the examiners would expect that the policies of the banks would already have 
reflected advanced international practice in this area, particularly as it is already a national 
requirement in Cyprus. What appeared to be absent in most cases was evidence of the type of 
overall analysis of risk which could be used to determine the risk appetite of the bank across 
the whole range of its potential business lines. Indeed, it appeared to the team that some banks 
mechanically address the points listed in the CBC Directive rather than conducting their own 
risk analysis, as required. The assessors consider that each bank should combine all of its risk 
analyses into an overall AML/CFT risk policy document, for Board approval. The assessors 
consider that this should be based on a thorough and meaningful process, which should 
include in particular any risk areas that might not previously have received sufficiënt 
attention. This analysis should be updated on a regular basis. 

21. All banks apply measures to identify the beneficial owner. In respect of those clients that are 
introduced to the banks, the identity of the beneficial owner is usually presented to the banks 
as part of an overall package of CDD documentation provided by the business introducer. 
This goes some way to explaining why most banks stated that they had no difficulty in 
identifying the beneficial owner. This statement was confirmed, to some extent, by the 
Cypriot Financial Intelligence Unit (MOKAS), which indicated that information on beneficial 
owners accompanies SARs sent by the banks. However, it was concluded by the assessors 
that, despite the documentation provided by the business introducers, banks remain in many 
cases one or more step(s) removed from the beneficial owner. The assessors consider it likely 
that there remain cases for a number of the banks where they have not had face-to-face 
contact with the beneficial owner, which may include situations normally classified as higher- 
risk. While this is not unique to Cyprus, it underlines the level of dependence on others to 
provide assurances, documentation and certification. Banks should implement the highest 
level of enhanced CDD, which could include (as indicated by some banks in Cyprus as 
already their practice in high risk cases) direct contact with the ultimate beneficial owner in a 
larger number of cases. 



8 IPage 



Strictly Confidential 



22. Given the significant role played by introducers in attracting international business to Cyprus, 
it was noted with concern that one of the categories of introducers (ASPs), though recently 
made subject to regulation, is not yet supervised in practice and the supervision of the other 
categories of introducers (lawyers and accountants) needs to be strengthened further. Banks 
should apply stricter controls on the use of business introducers, which involve not only the 
requirement that the introducer should be regulated, but also satisfying themselves, on an 
ongoing basis, that the quality of AML/CFT procedures applied by business introducers is 
adequate. Where a significant number of SARs is subsequently identified by the banks related 
to customers introduced by a particular introducer, those banks which do not already do so 
should consider terminating business relations with such introducers. 

23. With regard to individual components of CDD, weaknesses in the establishment of the 
business and economie profile of the customer have been identified. Banks should ensure that 
the customer business and economie profiles - particularly for high risk customers - are 
detailed, meaningful, accurate and regularly updated in order not to undermine the proper 
application of ongoing monitoring and that the purpose of the business relationship is 
identified and recorded in all cases. 

24. Additionally, the assessors were not persuaded that ongoing monitoring procedures were 
always being applied effectively. The substantial number of alerts which are generated by 
automated systems, as a result of the large number of high risk accounts, appear to be 
disproportionate to the number of staff available to manage and clear these alerts following 
sufficiently thorough consideration. Indeed, on the basis of information provided, not many 
cases of ML/FT suspicion are identified through ongoing monitoring. Banks should review 
the resources allocated to the monitoring of high risk international business and, where 
necessary, increase resources of compliance departments to fully investigate and properly 
review all the alerts raised on high risk accounts. 

25. The assessors observed that the implementation of the FATF Standard on politically exposed 
persons (PEPs) is not yet fully effective in all its aspects in some of the banks interviewed. 
While these deficiencies are not uncommon in many jurisdictions, they are important in the 
context of Cyprus, given the significant number of politically exposed customers with 
accounts in some of the banks. While in most cases banks were able to demonstrate the 
effectiveness of procedures to identify source of funds, measures to determine the source of 
wealth of PEPs were not always convincing. Measures to identify immediate family members 
and close associates of PEPs need to be reviewed and strengthened. Some of the banks also 



9 IPage 



Strictly Confidential 



do not yet have adequate measures to identify in a timely manner cases where an existing 
customer becomes or is subsequently found to be a PEP. 

26. The assessors noted a large backlog of amendments to registration documents at the Company 
Registry and a lack of follow up of a significant number of unsubmitted annual returns and 
financial statements. This raises questions about the ability of banks to fully apply CDD 
measures with respect to legal persons registered in Cyprus, especially given the speed with 
which company structures can be changed, which may go unnoticed by the financial 
institutions. Adequate resources need to be given to the Company Registry to rectify this 
situation. 

27. The assessors noted a widespread use by non-residents of Cypriot legal entities as holding 
companies for tax minimisation purposes. They were advised that not many SARs were 
submitted by banks in relation to tax-related suspicions of ML. The assessors expect that a 
recent and welcome legislative amendment, which renders certain tax crimes (including tax 
evasion) predicate offences for ML, will result in more tax-related SARs. Ho we ver, many of 
the banks and other obliged persons with whom the team met were either unaware or unclear 
about the full implications of these changes. The competent authorities should amend their 
directives to explain that tax evasion (including foreign tax evasion) is now within the scope 
of the STR reporting requirement and they should ensure that these changes are fully 
understood by the private sector through awareness-raising initiatives. 

28. Overall therefore, the assessors are concerned that the combination of a number of features 
associated with international banking business (e.g., introduced business plus complex 
structures plus use of nominees) may in some cases bring the cumulative level of inherent risk 
beyond a level that that is capable of being effectively mitigated by the CDD measures 
currently being applied. Indeed, the cumulative inherent risk may exceed the sum of each 
individual risk element. The assessment team therefore considers that the accumulation of 
high risks emanating from the use of complex structures, combined with introduced business, 
warrants the application of the highest level of enhanced due diligence, which needs to be 
fully reflected in the bank-specific risk assessments. Concretely, banks should as part of their 
overall risk policy: 

i. Recognise that the accumulation of risks in complex business in itself presents 
overarching risk; 

ii. Determine their appetite for such complex business bearing in mind whether the bank 
is in a position to effectively monitor and control the cumulative risks sufficiently to 



101 Page 



Strictly Confidential 



mitigate the possibility of abuse for purposes of ML (including in respect of tax 
crimes) and FT; 

iii. Set out the enhanced measures which need to be taken to mitigate these overarching 
risks; 

iv. Specify cases where it is appropriate based on an assessment of the risks to reject or 
terminate a cliënt relationship. 

29. Specific recommendations in relation to both the vulnerabilities inherent within the 
international business conducted by the banks, and in relation to the need for more effective 
implementation of particular CDD measures are made at the conclusion of this report. 



11 IPage 



Strictly Confidential 



B. ASSIGNMENT 



30. On 9 March 2013 Thomas Wiesner, the President of the Eurogroup Working Group, wrote to 
the Executive Secretary of MONEYVAL 1 in the context of the Cypriot request for financial 
assistance from the Euro area (Annex 1). The finance ministers of the Euro area had agreed 
with Cyprus that an independent evaluation of the AML/CFT framework should be 
commissioned and the Troika institutions had agreed that MONEYVAL's participation would 
be helpful. Specifically MONEYVAL was invited to conduct an assessment of whether CDD 
requirements are effectively implemented in the banking sector. 

31. The MONEYVAL Executive Secretary consulted with the Chairman and Vice Chairman of 
the Committee, who considered that in these exceptional circumstances, participation by 
MONEYVAL was necessary. The Executive Secretary responded positively to the request on 
12 March 2013 (Annex 2). 

32. The terms of reference as agreed between MONEYVAL and the programme partners appear 
at Annex 3. 2 MONEYVAL's evaluation is conducted under the FATF Recommendations 
2003 and the Methodology for Assessing Compliance with the FATF 40 Recommendations 
and the FATF 9 Special Recommendations 2004. This choice was made because the 
programme of evaluations under the 2012 revised FATF Recommendations has not yet been 
commenced by either FATF or MONEYVAL nor has the European Union Directive on the 
prevention of the use of the financial system for the purpose of money laundering and terrorist 
financing (Directive 2005/60/EC) been updated to reflect the revised standards. 

33. It was envisaged that MONEYVAL would work in parallel with an auditor to be agreed by 
the Central Bank of Cyprus and programme partners. Due to the delay in the appointment of 
the auditors, the sharing of preliminary key findings by MONEYVAL and the auditors could 
not take place on 27 March 2013 as had been specified in the terms of reference. In the 
absence of such opportunity for the sharing of findings, MONEYVAL considered it 
inappropriate to present its report as final as of 31 March 2013. The key findings were shared 



1 MONEYVAL is an independent monitoring body of the Council of Europe entrusted by the Committee of Ministers with 
the task of assessing compliance with the principal international standards to counter money laundering and the financing of 
terrorism and the effectiveness of their implementation as well as with the task of making recommendations to national 
authorities in respect of necessary improvements to their systems (see MONEYVAL's statute, Appendix to Resolution 
CM/Res(2010)12). MONEYVAL is an Associate Member of the Financial Action Task Force (FATF). Cyprus is one of the 
States evaluated by MONEYVAL. 

2 

Following the on-site visit by the MONEYVAL team, the terms of reference were revised to include additional information 
in relation to the tasks to be undertaken by the audit team. The MONEYVAL team did not receive the revised terms of 
reference. 



12 1 Page 



Strictly Confidential 



on 20 April 2013 subsequent to MONEY VAL' s onsite mission, which took place from 19 to 
29 March2013. 

34. The MONEYVAL evaluation team comprised: 

Mr Benoit Bienfait - Adviser (Prudential Policy & Financial Stability) National Bank 
of Belgium 

Mr Terence Donovan - Financial Expert (former Central Bank of Ireland) 

Mr Philipp Röser - Financial Scientific Expert to MONEYVAL (Liechtenstein) 

Mr Andrew Strijker - Cluster Co-ordinator Anti-Money Laundering and Anti- 

Corruption, EC/Task Force for Greece and Financial Scientific Expert to 

MONEYVAL (the Netherlands) 

Mr Richard Walker - Director of Policy and International Affairs, Guernsey 
Financial Services Commission (UK Crown Dependency of Guernsey) 

35. The assessment team was led by Mr John Ringguth, the Executive Secretary of 
MONEYVAL, who was assisted by Mr Michael Stellini from the MONEYVAL Secretariat. 

36. This evaluation is unique as no other jurisdiction has hitherto submitted to such an 
exceptional and focussed AML/CFT evaluation covering the effectiveness of one part only of 
its AML/CFT system. Evaluations in FATF and MONEYVAL's regular evaluation cycles 
usually cover the whole financial sector, as well as the legal and law enforcement sectors. 



13 I Page 



Strictly Confidential 



C. SCOPE AND METHODOLOGY 



37. This assessment, in line with the terms of reference, focuses primarily on effectiveness of 
implementation of CDD measures in the banking sector as at March 2013 against the 2003 
FATF Recommendations. The assessment team have considered the Prevention and 
Suppression of Money Laundering and Terrorist Financing Laws of 2007 and 2010 as 
amended (AML/CFT Law) and the Directive issued by the CBC to banks in accordance with 
Article 59(4) of the AML/CFT Law (the CBC Directive) which forms the relevant legal 
framework for AML/CFT preventive measures for the banking sector. A technical re- 
assessment of this law and directive has not been undertaken since no major technical 
changes have taken place since the last evaluation conducted by MONEY VAL in June 2010 
(report adopted on 27 September 2011) as part of its fourth round of evaluations 3 . An 
overview of the findings of the Fourth Round MONEYVAL report relevant to this assessment 
and the extent of the action taken by the Cypriot authorities so far is included at Annex 4. 



38. The objective in the terms of reference envisages the assessment to be conducted for a 
meaningful share of the banking system in Cyprus. In selecting banks for interview the 
assessors took into account, among other things, the level and composition of foreign-related 
deposits and loans in Cypriot banks, based on statistics provided by the CBC. A much larger 
sample of banks was interviewed than is possible in a normal MONEYVAL evaluation. 

39. The team selected 13 of the 41 banks 4 which were authorised to conduct banking business in 
Cyprus at the time of assessment. The banks interviewed represent approximately 71 per cent 
of the deposits and 76 per cent of the loans in the banking sector, including banks that did not 
exceed the threshold of EUR 2 billion of total deposits 5 . The sample included the 7 largest 
banks operating as at the 31 December 2012. The selection was made to cover the big Cypriot 
owned commercial banks together with branches and subsidiaries of foreign banks originating 
from Russia, Ukraine, Greece, Lebanon and Tanzania. The selections also paid attention to 
the levels of deposits and loans involving Cyprus companies belonging to non-residents and 
without physical presence (the so-called "brass-plate companies"). 



3 The follow up round of assessments by MONEYVAL was undertaken at the conclusion of the MONEYVAL third round 
(which mirrored the FATF 3 rd round). The purpose of this MONEYVAL 4th round is to maintain peer pressure on its states 
and jurisdictions, pending completion of FATF's 3rd round and the review of the FATF Recommendations which led to the 
recent revision of the FATF standards. 

4 There is also one representative office of a foreign bank. 

5 The Terms of Reference sets a EUR 2 billion threshold of total deposits for banks which should be included in the exercise 
by the auditors. 



14 1 Page 



Strictly Confidential 



40. The assessors conducted lengthy and informative meetings (each typically of 4-5 hours 
duration) with the folio wing banks: 



Bank of Cyprus plc 


Local bank 


Cyprus Popular Bank plc (Laiki Bank) 


Local bank 


1-Tpllpnip Ranlr x~\\c 


T opal Hanlr 


Piraeus Bank (Cyprus) Limited 


Subsidiary of a Greek Bank 


EFG Eurobank Ergasias S.A. 


Subsidiary of a Greek Bank 


FBME Bank Limited 


Branch of lanzanian Bank 


National Bank of Greece (Cyprus) Limited 


Subsidiary of a Greek Bank 


PrivatBank Commercial Bank 


Branch of a Ukrainian bank 


Societe Generale Bank - Cyprus Limited 


Subsidiary of a Lebanese bank 




(part of Societe General Group) 


Cyprus Development Bank plc 


Local bank 


Russian Commercial Bank (Cyprus) Limited 


Subsidiary of a Russian bank 


Alpha Bank Cyprus Ltd 


Subsidiary of a Greek bank 


Promsvyazbank JS Commercial Bank 


Branch of a Russian bank 



41. In the course of the interviews, the team met with compliance staff in all banks, and, 
according to availability, senior management, internal audit, relationship managers, and 
representatives of international business units which operate in the large majority of banks. 
All meetings with the private sector took place in the absence of representatives of the 
supervisory authorities, as is customary in MONEYVAL evaluations. 

42. The findings and recommendations of the team are largely interview43ased and the results 
depend on the information provided primarily in those interviews. MONEYVAL has not 
verified the information provided in interviews by access to customer data or files in the 
banks. Given that the terms of reference envisage two complementary exercises by 
MONEYVAL and the auditors, it is understood that such verification through customer data 
or files has been undertaken as part of the auditors' sampling, as approved by the CBC and 
the programme partners in accordance with the terms of reference. 

43. The CBC and the banks were requested to pro vide statistics on deposits made and loans 
granted by (i) country of residence and (ii) country of origin, for both owners [customers] and 
beneficial owners as specified in the terms of reference. The assessment team was informed 
that statistics based on the beneficial owner could not be made available for the banking 
system in time for inclusion as part of MONEYVAL' s assessment. The assessment team 



15 I Page 



Strictly Confidential 



understands that a breakdown of deposits and loans of the top 100 customers was 
subsequently provided by the banks to the audit team. 

44. At least 60 relevant topics were addressed in the course of every interview with banks under 
the broad headings of: 

Structure and status of AML/CFT compliance within the banks 

Governance issues: the role of banks' Boards in determining ML/TF risk policy 

- AML/CFT Risk Policy 

- Staff training on AML/CFT 

Role of internal audit and group compliance (where applicable) 

Identification and verification measures 

Identification and verification of beneficial ownership 

Client Acceptance 

Higher risk categories of customers 

Information on the purpose and intended nature of the business relationship 

Ongoing monitoring 

Politically Exposed Persons 

Correspondent banking relationships 

Wire transfers 

Record4ceeping measures 

Suspicious activity reporting. 

45. The assessors discussed in detail the AML/CFT policies and procedures of each bank. The 
banks were required to demonstrate to the assessors the extent to which the policies and 
procedures are implemented in practice. To this end, practical questions were posed, 
including scenarios associated with customer acceptance in the particular context of Cyprus, 
and the process of identifying beneficial owners. The evaluators also focussed on the 
incidence of rejected business, business terminated after commencement of business relations, 
and resolution of any disputes between compliance and customer on43oarding departments. 

46. The team met with the CBC to discuss their supervisory practices and findings insofar as they 
were relevant to the assessment of the effectiveness of implementation of CDD in the banking 
sector. An overview of the supervisory work conducted by the CBC is presented at Annex 5. 
The team also met with the MOKAS to verify information received from the banks in relation 
to their transmission of suspicious activity reports. 



161 Page 



Strictly Confidential 



47. Introducers play a critical role in the international business profile of many banks' customers 
and in the CDD processes of banks. Accordingly, the evaluators considered it necessary 
within their terms of reference to interview a small number of introducers and also their 
regulators (Cyprus Securities and Exchange Commission (CYSEC), the Cyprus Bar 
Association (CBA) and Institute of Certified Public Accounts of Cyprus (ICPAC). For an 
overview of the functions of these regulators reference may be made to Annex 6. Similarly, 
the assessors interviewed the Company Registry since it also has an impact on the 
effectiveness of CDD in respect of legal persons. Further information on the Company 
Registry is available at Annex 7. 

48. As it is outside the scope of the terms of reference for this assessment, the assessment team 
was not in a position to evaluate the effectiveness of the work of the CBC, the CYSEC, the 
CBA, the ICPAC, MOKAS and the Company Registry, except where considered strictly 
relevant to the assessment of the effectiveness of implementation of CDD by the banks 
themselves. 

49. A list of all the entities met on-site by the assessment team is presented at Annex 8. 



17 I Page 



Strictly Confidential 



D. THE BANKING SECTOR AND INTERNATIONAL BUSINESS IN CYPRUS 



The Banking Sector 

50. According to figures provided by the CBC, as at 31 December 2012, the banking sector held 
approximately EUR 70 billion in deposits and EUR 72 billion 6 in loans. 

51. At the commencement of the assessment there were 6 banks in Cyprus that were majority- 
owned by resident shareholders 7 . Collectively, these banks account for approximately EUR 
52 billion in terms of deposits and EUR 47 billion in terms of loans, with the largest share 
held by Bank of Cyprus, Cyprus Popular Bank, Hellenic Bank and Cooperative Credit 
Institutions. The ownership structure of local banks varies. Three banks were fully owned by 
resident shareholders 8 . 

52. Branches and subsidiaries of foreign banks constitute the rest of the banking sector in Cyprus. 
The geographical spread of the foreign banks operating in Cyprus is as follows: 



Foreign bank 


Branches in 


Subsidiaries 




Cyprus 


in Cyprus 


EU Member State 


11 


5 


Non-EU Member 
State 


16 


3 



53. In terms of customer base, as at 31 December 2012, banks collectively held approximately 
EUR 38 billion in deposits and EUR 49 billion in loans for Cypriot residents (61 per cent) and 
EUR 32 billion in deposits and EUR 23 billion in loans for non-residents, including brass- 
plate companies (39 per cent). The table below provides an overview of the customer base of 
the entire banking sector in Cyprus. 



6 All the data featuring in this section was provided by the CBC and represents the sector in terms of deposits and loans held 
by banks as at 31 December 2012. 

7 Bank of Cyprus plc, Cyprus Popular Bank plc (also known as Laiki Bank), Cyprus Development Bank plc, Hellenic Bank 
plc, Housing Finance Corporation and Cooperative Credit Institutions 

8 Bank of Cyprus plc, Cyprus Popular Bank plc (also known as Laiki Bank), Cyprus Development Bank plc 



18 IPage 



Strictly Confidential 



Customer 


Deposits 
(billion 

TTTT1Ï~> 
EjUK.) 


Loans 
(billion 

17TTD*> 
EjUK.) 


Resident 


38 


49 


Brass-plate companies 9 


5.3 


4.7 


Greece 


4.6 


2.1 


Russia 


4.9 


4.2 


Other EU 


2.9 


5.4 


Other Non-EU 


14.2 


6.7 


Total 


69.9 


72.1 



International Business 

54. Cyprus has been marketing itself in recent years with considerable success as an international 
banking centre, having moved away some years ago from the bank ownership and licensing 
structures which had characterised it previously as an offshore centre. However, the nature of 
the international business conducted continues to include acting as a conduit for flows of 
funds into and out of Cyprus, for which there is often no underlying business activity within 
the Cypriot economy - in effect, offshore business. This type of business carries with it a 
number of vulnerabilities, which are described in the body of the report (under Section E). 

55. The Cypriot banking system is large in relation to the domestic economy, continuing to 
represent at the time of this assessment eight times the national GDP. It is clear that the levels 
of international banking business conducted in/through Cyprus have, at least until recently, 
been substantial and have grown materially in the period 2010-2012. 

56. The assessors sought to quantify the volume of international business in their meetings with 
banks, service providers and some of Cypriot authorities and through review of available 
statistics. The team was not provided with clear and comprehensive statistics in this regard 
and was informed that accurate information is not yet available that would pull together the 
various strands of this business. 

57. However, information was provided by the CBC in respect of direct exposure of the banking 
system to non-residents in aggregate and also broken down by Greek and Russian persons 



9 The CBC was not in a position to provide a breakdown of the country of origin of the beneficial owners behind these legal 
entities. 



19 I Page 



Strictly Confidential 



(who account for the highest proportion of non-resident accounts), persons from other 
European Union countries and persons from other non-European Union countries. As at the 
end of December 2012, the position was stated by the CBC as follows: 



Customer (excluding brass-plate 
companies) 


Deposits 
(billion 

EUR) 


Loans 
(billion 

EUR) 


Russia 


4.9 


4.2 


Greece 


4.6 


2.1 


Other EU MS 


2.9 


5.4 


Other non-EU MS 


14.2 


6.7 


Total 


26.6 


18.4 



58. Data was not provided for later dates and the current position is likely to differ significantly 
from that shown above. 

59. The figures above do not present anything close to the full picture in relation to non-resident 
business, in particular for Russia. For example, it is common for Cypriot-registered 
companies (by definition resident companies) to be used to hold non-resident assets as part of 
structures. An accurate statistical analysis cannot be included as comprehensive data on 
loans/deposits by country of origin or residency of beneficial owner was not made available 
for the purposes of this assessment. 

60. Notwithstanding, the absence of concrete data on non-resident account holders, the banks 
interviewed observed that non-resident customers, when looked at as ultimate beneficial 
owners, account for a substantial part of Cypriot banking business. In some banks 
interviewed, the percentage of non-resident customers was in excess of 70 percent. The CBC 
was in the course of collecting data from the banks classified on the basis of country of 
residence of beneficial owner. This initial exercise was due for completion by mid-April, too 
late to be of assistance for this assessment. However, some banks had already compiled at 
least preliminary data and were therefore in a position to assist the assessment team with 
estimated country-by-country breakdowns. 

6 1 . The rationale for much of the international business conducted appears to arise from the wide 
range of doublé tax agreements (DTAs) entered into by the Cypriot authorities, in particular 
the DTA with Russia, a protocol to which was recently amended. Although other countries 
are also active in negotiating DTAs, including with Russia, cultural ties and historical factors 



20 I P a g e 



Strictly Confidential 



are offered by Cypriots as explaining why they have been particularly successful in attracting 
business from Russia. Interest by Russian persons in Cyprus is also attributed to the fact that 
the Cypriot legal system is based on English law, which is of benefit in many ways including 
in preparing companies for share listing (IPOs) on the London Stock Exchange and provides 
access to Common Law structures for the protection of wealth unavailable elsewhere. The 
current Cypriot 10 percent corporate tax rate 10 is also an important factor. 

62. Banks and company service providers were helpful in explaining to the team the economie 
and business rationale for the use of a number of different tax-driven structures, typically 
involving the use of Cypriot-registered holding companies and/or a variety of cross-border 
banking facilities. In all cases, the interviewees maintained that the services provided were 
legitimate tax-minimisation arrangements, taking advantage of well-known provisions of the 
tax code. It is not within the scope of the mission to form a view on the legitimacy or 
otherwise of these arrangements and they are referenced in this report principally due to their 
relevance in explaining the high levels of international financial services business in Cyprus 
and to provide a basis for discussion of the challenges they can present to banks in seeking to 
implement effective CDD. This is addressed as part of the analysis in this report of the 
effectiveness of CDD. 

Trust and Company Services and Business Introducers 

63. The assessors noted that, in many cases, the international tax -based business entails the 
creation of corporate structures. As a result, the provision of trust and corporate services by 
registered lawyers, accountants and ASPs is widespread in Cyprus. Such services include the 
formation of holding company structures involving Cypriot-registered companies, combined 
with companies in other jurisdictions such as the British Virgin Islands, Belize, Seychelles or 
certain states in the United States of America. The use of business introducers and of nominee 
shareholders or directors is common. Trust structures are also used and non-Cypriot bearer 
shares also occasionally feature. 

64. Lawyers, accountants and ASPs, when acting as business introducers, also handle all the 
necessary procedures for the opening and operation of bank accounts with Cypriot banks. 
Indeed, significant international business is introduced to the banks by such third parties. 
Some banks received comparatively little introduced business but in others it was close to 100 



Financial services practitioners who commented on the issue expressed the opinion that the proposed increase in the 
corporate tax rate to 12.5 per cent was unlikely in itself to impact materially on the levels of international business being 
conducted through Cyprus. 



21 I Page 



Strictly Confidential 



percent. Based on the interviews, the assessment team considers that perhaps 75 percent of 
international business in the banking sector is introduced. 

65. It is not known precisely what proportion of trust and corporate services business is accounted 
for by lawyers, accountants and ASPs. However, it is estimated that some 260 administrative 
service providers will apply for authorisation by June 2013. The assessment team was 
informed that some 270 firms of lawyers pro vide administrative services so far, while 850 
accountants undertake such business, of which ICPAC expects 200 firms to apply to them for 
a licence. A very large majority of all service providers have five or fewer staff. 

66. Some of the banks also accepted business introduced by firms outside Cyprus. The 
assessment team was advised that introducers from outside Cyprus were generally limited to 
those from other EEA countries. The assessment team was not in a position to confirm this. 

67. It was difficult to obtain a sense of the level of business undertaken by individual introducers 
in Cyprus. One statistic provided by the CBA is its estimate that no law firm administers more 
than a thousand companies. It was also suggested that it would be usual for a firm of five 
lawyers engaging in administration activity to administer some fifty companies. 

Companies 

68. Given that significant levels of international business involve the setting up of Cypriot 
companies, the assessment team considered it appropriate to examine the extent to which 
Cypriot companies are owned by non-residents. A description of the type of legal entities that 
may be registered in Cyprus is provided at Annex 9. 

69. At the end of February 2013, 270,741 companies were included on the register, with an 
estimated 90 percent being companies limited by shares. The number of company formations 
over the last five years is demonstrated in the table below. 



Year 


Companies formed 


2012 


17,999 


2011 


19,538 


2010 


19,278 


2009 


16,101 


2008 


24,453 



22 I P a g e 



Strictly Confidential 



70. Companies limited by shares (private companies) are by far the most common form of 
company. Of these 98 percent were estimated as being general trading companies or 
companies which hold investments or immoveable assets. 



71. Neither the registry nor any other authority currently maintains information of any kind on the 
beneficial ownership of Cypriot companies. It was clear from the totality of the interviews 
conducted by the review team that a large proportion of Cypriot companies are owned by 
Russians in particular, and Ukrainians. A large proportion of the remainder are owned by 
Western Europeans, with a small minority coming from the rest of the world with some 
markets expected to develop such as China and Israël. 



23 I P a g e 



Strictly Confidential 



E. FINDINGS AND RECOMMENDATIONS 



Introduction 

72. As noted, the assessment team held detailed discussions with 13 of the 41 banks operating in 
Cyprus, chosen to provide a meaningful representation by size and type of business of the 
overall banking system, with particular focus on international business. Since, as mentioned 
earlier, international business often involves the provision of trust and corporate services, 
several providers of these services were also met by the assessment team to form a 
comprehensive view of the manner in which the international business is conducted in 
Cyprus. 

73. While the points for discussion during the meetings broadly folio wed the topics addressed in 
Recommendations 5, 6, 7, 10, 11, 13 and Special Recommendation VII of the 2003 FATF 
Recommendations, particular emphasis was placed in the discussions on the measurement, 
prioritisation and management of ML and TF risk in the banks, in the particular context of the 
scale of international business which has been conducted in or through Cyprus. 

74. As explained earlier, the team was not in a position to directly test the responses provided by 
the banks by having access to customer records or files; in that respect, the approach taken 
was similar to a regular AML/CFT assessment, with the exception that the interviews with the 
banks were significantly longer and much more detailed. 

Structure and status of AML/CFT compliance within the banks 

75. The assessors sought to determine the degree of independence granted to the compliance 
function in each bank interviewed and the extent to which the voice of the compliance 
function is listened to particularly when important customer-acceptance decisions are taken. 
While each bank explained its own unique approach, a number of the banks interviewed 
maintained that the compliance function had been granted a casting vote in decisions to 
accept or reject new higher-risk business. In most of the other banks, the compliance function 
expressed confidence that their concerns would nonetheless be addressed, for example by 
seeking additional information and documentation from or in relation to the prospective 
customer. In a significant number of banks, it appeared that compliance would become 
involved only where a query was referred to them from the relationship manager. The 
assessors noted the position in certain banks that higher-risk business can only be accepted 
with the prior approval of the compliance function. With a few exceptions, compliance 



24 I P a g e 



Strictly Confidential 



officers appeared satisfied with the level of available human resources. A number of banks 
advised that they are planning or implementing enhancements to existing IT systems, 
particularly to improve efficiency in ongoing monitoring. 

76. When accepting higher risk customers, banks should ensure, where not already the case, 
that ML/FT risk issues are taken fully into account, with the process involving the 
expertise of the compliance function in an enhanced advisory role. 

Governance issues: the role of banks' Boards in determining ML/TF risk policy 

77. The assessors explored with each bank interviewed the manner in which the compliance 
function is represented on or reports to the Board itself or its committees (e.g. Audit 
Committee, Risk Committee). The responses varied reflecting the internal structures of each 
bank but, typically, the heads of compliance or money laundering compliance officers 
(MLCOs) were not Board members. The most common pattern is that they reported through 
the Audit Committee or had a reporting line to the director responsible for risk management. 

78. In terms of management reporting for AML/CFT, at a minimum each bank prepared the 
annual report of the MLCO which, in addition to submission to the Board, is also provided to 
the CBC. In most cases, however, the banks could point to more frequent reporting, 
sometimes quarterly, to the Board or a Board committee, addressing such AML/CFT matters 
as changes in the law or requirements, progress reports on AML/CFT IT systems or other 
projects, SARs reported in the previous period (including an outline of the cases) and staff 
training plans. Not having sight of any of these reports, the assessors cannot form any 
conclusion regarding their effectiveness. In general, however, bank managements appear 
conscious of AML/CFT risks and supportive of strong preventive measures, including where 
warranted the rejection of some high-risk business and/or closing of existing accounts. In a 
number of interviews, management representatives stressed the priority given to protecting 
the reputation of the bank. 

AML/CFT Risk Policy 

79. In all cases, banks interviewed confirmed that they have Board-approved AML/CFT policy 
statements, though the assessors found material variation in their scope and content. In the 
discussions, a few banks did not distinguish high-level policy from detailed AML/CFT 
procedures, but this was in cases where the entire procedures manual is subject to Board 
approval. In the small number of cases in which the assessors had the opportunity to review 



25 I P a g e 



Strictly Confidential 



the broad content of these documents, they appeared to be comprehensive and to reflect 
closely the content of the CBC Directive. In most cases, the pattern was found to be as 
follows: 

• A Board-approved high-level policy statement in support of the fight against money 
laundering/terrorist financing, sometimes in the nature of a mission statement or, in a 
couple of cases, including many detailed operational decisions; 

• A Board-approved customer acceptance policy statement which addresses all or most 
of the high-risk business categories specified in the CBC Directive, perhaps with 
some categories added by the individual bank; and 

• A detailed AML/CFT procedures manual (in some cases combined with one or both 
of the above documents). 

80. The assessors did not have the opportunity to examine these documents in detail but have no 
reason to be critical of them, per se. However, the assessors note that none of the banks 
interviewed could point to the existence of any overall AML/CFT risk assessment conducted 
at the level of and specific to the individual bank. In a jurisdiction where banks are 
conducting substantial amounts of business classified as potentially higher risk by the FATF, 
the assessors would expect that the policies of the banks would already have reflected 
advanced international practice in this area. The assessors note that the CBC Directive has, 
since 2008, required each bank to prepare and maintain a risk assessment report. Perhaps the 
issue is one of interpretation, as the assessors observed that many of the practical steps that 
should flow from such a risk assessment are already in place (e.g. classifying customers into 
high/medium/low categories). 

81. What appeared to be absent in most cases was evidence of the type of overall analysis of risk 
in each bank which can be used to determine the risk appetite of the bank across the range of 
its potential business lines. In some cases, it was clear that risk-based decisions had been 
made to restrict or exclude some business lines and to apply additional conditions or 
documentary requirements for others. However, it appeared to the team that some banks 
mechanically address the points listed in the CBC Directive rather than conducting their own 
risk analysis, as required. 

82. Each bank should combine all of its risk analyses into an overall AML/CFT risk policy 
document, for Board approval, based on a thorough and meaningful consideration 



26 I P a g e 



Strictly Confidential 



which should include in particular any risk areas that might not previously have 
received sufficiënt attention. This analysis should be updated on a regular basis. 

Role of internal audit and group compliance (where applicable) 

83. The AML/CFT function is subject to internal audit (at local or group level, as appropriate) in 
each of the banks interviewed. In addition, for banks that are part of international groups, 
there was evidence of checking also by one or more levels of group compliance. 

Identification measures 

84. In line with the CBC Directive, banks confirmed that they identify customers in all cases and 
do not operate anonymous or numbered accounts. For international business, most customers 
are corporate entities and supporting documentation is obtained to confirm the identification 
of the customer, the directors and the owners. Although some of these structures are complex 
and can involve legal entities in two or more jurisdictions, there was a consistency in the 
responses of the banks that they are required to, and do in practice, identify all relevant parties 
through all layers of these structures. The assessors did not come upon any examples to 
suggest lack of understanding or weak compliance on this aspect. 

Verification measures 

85. Most of the banks were persuasive in their discussions with the assessors that they take 
seriously the implementation of the obligations in the CBC Directive to obtain all of the 
documents needed to provide verification of ownership of accounts, covering personal, 
corporate and other business entities effectively. The compliance and/or business line 
personnel from the banks provided comprehensive explanations of procedures for even the 
most complex structures encountered, with a confidence that indicated sound practical 
experience. 

86. However, a few banks indicated that projects to update verification documentation for 
customers existing at the time of the material upgrading of the Cypriot AML/CFT 
requirements in 2007/8 were, to some extent, still in progress. The banks concerned informed 
the assessors that the outstanding work related to retail business and the omissions were 
mainly technical in nature (e.g. no copy of utility bill, out-of-date identification document) 
but may also include incomplete customer profile to provide the base line for ongoing due 
diligence. In general, most of the customer base, including larger, riskier, and corporate 



27 I P a g e 



Strictly Confidential 



customers appeared to have been addressed at this stage. The assessors are not in a position to 
confirm the extent of the gaps or determine whether they are sufficiently material to 
undermine the findings of the current exercise. 

87. Banks should update any remaining outstanding CDD in relation to existing customers 
without further delay. 

88. As discussed in some detail in this report, the channels used by a significant number of 
Cypriot banks to source and maintain international business, and in some cases the 
complexity of the structures involved, create challenges for the effective implementation of 
CDD measures. For purposes of verification, in order to comply with the FATF Standard, 
banks need to obtain "reliable, independent source documents, data or information". The 
banks were generally persuasive in their explanations that they insist on obtaining 
documentation to confirm, for example, registration of companies, trust agreements 
appointing nominee shareholders or directors, trust deeds (or relevant extracts therefrom). The 
approach they adopt is similar to that encountered in other banking systems that attract 
offshore business. However, the assessors noted that this entails placing significant reliance 
on others (often business introducers) in Cyprus or other countries to certify the authenticity 
of many of the documents provided. In some cases, this may exposé banks to the risk of using 
false documentation or leave them exposed should there be subsequent changes in ownership 
or control of the entities, without their knowledge. It is difficult for the assessors to offer 
specific recommendations to mitigate these risks, as they are inherent in at least some of the 
offshore -type business conducted in centres such as Cyprus. However, documentary 
verification should be just one element of effective CDD and, for example, the strong focus in 
the case of Cyprus on the beneficial owner(s) behind the corporate business and on 
understanding the rationale for business proposals (as discussed below), are important 
elements in risk mitigation. 

89. In their reliance on business introducers, banks are exposed to any weaknesses that arise in 
CDD conducted by the introducers. Given the significant role played by introducers in 
attracting international business to Cyprus, it was noted with concern that one of the 
categories of introducers (ASPs) is not yet supervised in practice and the supervision of the 
other categories of introducers (lawyers and accountants) needs to be strengthened further. 
The assessors were made aware of cases in which banks placing reliance on introducers did 
not appear to be reviewing the introducers' AML/CFT procedures subsequent to the 
assessment conducted at initial acceptance. 



28 I P a g e 



Strictly Confidential 



90. Banks should implement stricter controls on the use of business introducers to ensure 
not only that the introducer is regulated but also that the introducer's AML/CFT 
procedures are reviewed on an ongoing basis. In accordance with best practice reported 
to the assessors by several banks, where concerns arise on the reliability of CDD 
conducted by a particular business introducer, or a significant number of SARs relate to 
customers they introducé, banks should always consider terminating business relations 
with the introducer.. 

9 1 . The MONEYVAL fourth round mutual evaluation report expressed concerns about the ability 
of financial institutions to fully apply CDD in relation to legal persons given the large backlog 
of amendments to registration details at the company registry. In addition to the backlog 
identified in the evaluation report, the registry receives only 60,000 to 70,000 of the annual 
returns and financial statements required by law. Few of the companies not providing these 
documents are followed up. It is not known how many of the companies not filing annual 
returns and financial statements are beneficially owned by non-Cypriots. This widespread 
failure to provide annual returns and financial statements also means that industry cannot 
fully apply customer due diligence measures where business relationships involve Cypriot 
companies. 

92. The Company Registry should be provided with the staff and other resources necessary 
to remove the backlog of amendments to company registration documents and to follow 
up unsubmitted annual returns and financial statements. 

Identification and verification of beneficial ownership 

93. Banks interviewed advised the assessors that they pay particular attention to satisfying 
themselves that they know and have verified the identity of the natural person(s) who own or 
control the business structures doing business with the banks. A number of banks interviewed 
had IT systems for the compliance function which classified business relationships based on 
the country of residence or origin of beneficial owner. Others were in varying stages of 
developing this analysis at the time of the assessment. 

94. The banks interviewed were persuasive when explaining the steps they took in general, and 
for higher-risk business in particular, that they had identified and verified the identity of 
beneficial owners (for all shareholdings exceeding 10% in accordance with the Cypriot legal 
requirement) across a range of corporate structures and arrangements. This needs to be 
considered, however, in the context of the risk profile of international banking business 



29 I P a g e 



Strictly Confidential 



conducted in/through Cyprus. The assessors consider that the characteristics of some of the 
business may create particular vulnerabilities for which, even with their best efforts, the banks 
may struggle to be certain that the claimed beneficial owner is - and continues to be during 
the life of the relationship - truly the natural person who is the owner or controller (e.g., in the 
case of some of the more complex introduced business cases). Other categories of business, 
though appearing complex in its final form, might not challenge the banks in conducting 
effective CDD for the reason that the beneficial owner is already well known to them and the 
business proposals and structures are built from Cyprus, with the beneficial owner as the 
starting point. In the case of a couple of banks interviewed, the explanation of the basis for 
being satisfied as to the beneficial owner was less compelling, focussing more on 
documentary procedures which, though from the discussions appeared to be comprehensive, 
would not in all cases guarantee that a bank 'knows who the beneficial owner is'. However, 
the scope of the assessment did not provide the assessors with the opportunity to 
independently test individual files and the practice of the Cypriot banks appeared on the face 
of it to meet the international Standard in this area. 

95. All banks interviewed made references to their practices in seeking to achieve face-to-face 
contact at some point with ultimate beneficial owners, particularly in relation to their largest 
and highest-risk customers. Methods described include one or more of the following: 

The relationship manager arranges a face-to-face visit to the business premises of an 
important customer, perhaps as part of a broader marketing trip; 
The customer is encouraged to visit the bank in Cyprus (not unusual for a customer to 
take a direct interest in the bank given the large amounts of the customer' s funds the 
bank may have under its control); 

Some banks have group structures or maintain foreign branches and/or representative 
offices (e.g. most commonly in Russia but also in Greece, Ukraine and a range of 
other countries) that can provide a point of contact with customers and can facilitate 
the direct application of CDD measures, such as taking a copy of a passport. 
However, the extent and feasibility of use of this method is not clear to the assessors 
where the bank is dependent on, for example, a single representative office in 
Moscow to reach customers in a wide geographical area. 
In the absence of direct access to customer files, the assessors could not confirm the extent of 
direct contact with beneficial owners by banks in Cyprus. Having regard in particular to the 
importance of introducers as a source of business for the banks, the assessors consider it 
likely that there remain cases for a number of the banks where they have not had face-to-face 
contact with the beneficial owner that may include situations normally classified as higher- 
risk. While this situation is not unique to Cyprus, it underlines the inherent riskiness from an 



30 I P a g e 



Strictly Confidential 



AML/CFT perspective of much of the international banking business conducted through 
Cyprus and the level of dependence on persons other than the beneficial owner to provide 
assurances, documentation and certifications. 

96. Banks should implement the highest level of enhanced due diligence, which could 
include (as indicated by some banks in Cyprus as already their practice in high risk 
cases) direct contact with the ultimate beneficial owner in a larger number of cases. 

Client Acceptance - economie and financial rationale for conducting business in/through 
Cyprus 

97. The assessors noted that on deciding whether to accept new business, emphasis was placed by 
most banks on the economie and financial rationale for conducting the business in/through 
Cyprus, obtaining a plausible explanation for the choice of business structure or model, and 
conducting at least some measure of checking on the source of funds and/or wealth. While a 
number of other banks also mentioned conducting a reasonableness test before accepting new 
business, the assessors were left with the impression that the checks conducted in these cases 
might not have been so deep. Even for the remaining small number of banks that did not 
emphasise this point, there were nonetheless references to rejecting implausible business 
proposals (e.g. a 24 year old wishing to open an account to deposit a large sum and claiming 
to have wealth running into millions, without any supporting evidence and where an internet 
search did not provide any corroboration, would be rejected as either a potential fraud or as a 
'front' for an unidentified other person). 

98. The assessors requested statistics from the banks on the number of new account opening 
requests which have been refused or new business proposals rejected, as well as on 
terminations of ongoing relationships due to potential ML/TF concerns. While few banks 
could provide firm statistics, from available data and anecdotal evidence, the assessors 
conclude that a small but steady number of clients/prospective clients are formally rejected, 
with the most common reason being an unwillingness to provide the bank with requested 
supporting information. However, some banks also pointed out that many more cases may be 
turned away as unsuitable at the point of initial contact and never get to the stage of a formal 
account-opening application. 

99. The assessors are not in a position to verify this information and suggest that it would be 
valuable for the banks' own risk management purposes to record rejected business 
information more systematically, with the particular emphasis on the reasons for rejection. 



31 IPage 



Strictly Confidential 



This could be useful, inter alia, in identifying trends and as an additional component of staff 
training. 

Higher risk categories of customers 

100. A significant proportion of international business conducted in/through Cyprus would 
be considered by the assessors to have higher-risk characteristics. By definition, the 
international business is with non-residents and it is not unusual to have multiple jurisdictions 
and multiple parties involved in the transactions. As explained elsewhere in the report, much 
of the new business is introduced, from either domestic or cross-border sources. Information 
was given also on tax-driven business models and practices, including cash collateralised 
loans. Private banking and/or wealth management services are offered by a number of Cypriot 
banks. Use of trusts (some created under Cypriot law but more commonly created under the 
laws of other jurisdictions) as part of customer ownership structures is not uncommon and 
there remain some residual cases where company ownership is evidenced by non-Cypriot 
bearer shares. AU of these are examples of practices that come within the definition of 
potentially high risk categories of customers in the FATF Recommendations and, as such may 
warrant the application of enhanced due diligence. 

101. The banks interviewed explained that they conduct comprehensive risk-based due 
diligence checks. While the distinction between 'normal' due diligence and 'enhanced' due 
diligence might be difficult to define consistently for the Cypriot banks, reflecting the high 
le veis of inherent risk in the scope of their due diligence, the le veis of checking which the 
banks said they conducted appeared generally proportionate, except in the case of one bank. 

102. The following paragraphs outline the findings of the assessors with regard to each of 
these categories of potentially higher-risk business and in relation to the implementation of 
enhanced levels of due diligence by the Cypriot banks interviewed. 



Introduced business 

103. The modalities of introduced business in the context of international banking 

business in Cyprus were outlined earlier in this report. By reference to the FATF 
Standard, the assessors worked on the basis that this business does not typically represent 
a full reliance on third parties (i.e., validly, where certain conditions are met, relying on a 
regulated third party to conduct CDD and retain related documentation, to be obtained by 



32 I P a g e 



Strictly Confidential 



the relying bank only if requested). While all of the Cypriot banks maintained that they 
conduct their own full CDD in relation to business introduced to them, the assessors took 
the view that the Cypriot approach is something of a hybrid in that banks still place 
substantial reliance on the introducer in certain respects e.g., in making face-to-face 
contact with the customer, in sourcing and certifying identification documentation and in 
providing the business rationale for the overall scheme or structure. If the work of the 
introducer is sub-standard, this creates an exposure for the bank. Banks are aware of this 
exposure and, in discussions with the assessors, could point to at least a small number of 
cases in which they had discontinued their relationship with an introducer and removed 
them from their approved list based on one or more bad experiences - typically at the 
early stages of a new relationship. 

104. It was noted that in the course of its inspection programme in the last three years 
the CBC identified a number of cases where banks placed reliance on third parties that 
did not fulfil the conditions required under the AML/CFT Law and the CBC Directive 
and most of the sanctions that were imposed by the CBC during this period were related 
to such breaches. 

105. Most banks that accept business from introducers reported that they restrict the 
scope of such acceptance to Cypriot introducers, although cross-border intragroup 
introductions are also common. At least one bank interviewed sources its business mainly 
from non-Cypriot EEA introducers. Moreover, during the course of an interview 
conducted with one introducer who introducés business to six banks in Cyprus, it 
emerged that it was not unusual for customers to be introduced to a bank through a chain 
of more than one introducers, including where originating from other jurisdictions, which 
could include non-EEA countries. While the assessors accept that CDD work in these 
cases is nonetheless 'conducted' by the Cypriot bank, in line with the procedures set out 
in the CBC Directive, acceptance of business in this manner would still involve accepting 
confirmations and certifications through a chain of sources over which the banks has little 
or no control. It is this level of reliance on others - including in other jurisdictions - 
which increases the risk of misunderstanding or misrepresentation along the chain, 
potentially undermining the value of the CDD. 

106. An outline of the supervisory framework for introducers can be found in Annex 
6. 

Nominee shareholders and directors 

33 I P a g e 



Strictly Confidential 



107. The use of nominees (as shareholders and/or directors) is a typical feature of 
companies registered as part of structures coming to banks, whether from business 
introducers or otherwise. In many cases, the banks informed the assessors that they insist 
on obtaining a certified copy of the trust agreement under which the beneficial owner 
appoints the nominee to act on his behalf. The assessors can accept that this approach 
should be effective in minimising the risk. However, the assessors were made aware in 
one of the interviews that a further issue can arise with introduced business where a 
beneficial owner insists on being the sole signatory on the bank account of a company for 
which a business introducer is acting as director. Typically, the bank relies on the 
introducer for access to information but in these circumstances he might no longer be in 
effective control of the use of the account. In addition to potentially creating difficulties 
for the introducer in meeting his legal obligations as a company director, this situation 
may also increase risk for the bank of misuse of the company account by the beneficial 
owner. 

Corporate Structures 

108. The assessors had extensive discussions with the banks on the range of corporate 
structures - newly created or migrated to them - which they encounter as part of their 
international banking business. Typically, as outlined elsewhere in this report, they relate 
to holding company structures, for purposes of tax minimisation and/or asset protection. 
In many structures, Cypriot-registered shelf companies are used in conjunction with 
companies registered in (or trusts under the laws of) other jurisdictions, to further reduce 
applicable taxes. 

109. The banks explained that they conduct CDD at all le veis of each structure until 
they are satisfied that the structure makes economie sense, and they have confirmed the 
registration of each of the companies and the identity of all beneficial owners. In the 
absence of access to customer files, the assessors could not confirm this directly. While 
this business, on the face of it, would normally be considered high-risk, the assessors 
could accept that where a bank was from the outset closely involved or informed of the 
creation of the structure, enhanced ongoing due diligence might not always be warranted. 
Although most of the banks interviewed acknowledged that some of the business they 
accept involves more complex structures, and is therefore treated by them as higher-risk 
in nature, they apply the same approach of working through the structure to satisfy 



34 I P a g e 



Strictly Confidential 



themselves that they have documentary evidence of registration and ownership at each 
level and are satisfied also that they know the beneficial owner(s). 

110. With regard to trusts (mostly non-Cypriot), there was a divergence among the 
banks on the conduct of due diligence. Approximately half of the banks interviewed who 
accept at least some trust structures, which the assessors understand are not very widely 
encountered, insist on access to the full trust deed. The remainder accept extracts showing 
the names of the parties involved and thus run the risk that key information might have 
been withheld from them. In all cases, the banks explained that, in accordance with the 
CBC Directive, they identify - and verify the identity of - a range of parties to the trust, 
including the trustees, settler and beneficiaries. In the absence of access to customer files, 
the assessors consider that the due diligence described would comply with best 
international practice, but also note that trust structures and other such legal arrangements 
can in practice be constructed in a manner that can mislead and the application and 
beneficial ownership of trust assets can be controlled in ways which are not necessarily 
specified in the trust deed itself. As for other business types described in this section, the 
further removed the Cypriot bank is from the beneficial owner, the more vulnerable it is 
to being misled. However, based on the information made available to the assessors, no 
particular example of weak CDD for trusts was identified. 

Cash-collateralised loans 

111. While most banks interviewed confirmed that they have provided at least some 
back-to-back or cash-collateralised facilities, they were seen to be of more significance in 
a small number of the banks and there appeared to the assessors to be a particular Russian 
connection to such facilities. Examples quoted to the assessors included the routing of 
financing of a Russian business through a Cypriot bank by incoming deposit supporting 
an outgoing loan by the bank to the Russian business. In this way, the arrangement serves 
the needs of both asset protection and the likelihood that the businessman would get 
repayment of his investment. If structured correctly, certain tax advantages also accrue. 

112. Inherently, cash-collateralised loans eliminate credit risk. However, they may 
carry material ML or TF risk. Banks interviewed that engage in this business emphasised 
the importance of getting comfort on two main aspects; (1) that the incoming deposited 
funds can be confirmed to come from a legitimate source and (2) that the business 
receiving the loan actually exists and can demonstrate its economie rationale. 



35 I P a g e 



Strictly Confidential 



113. These points are supplemental to the key issue of knowing the beneficial owner 
and conducting all other Standard CDD. As the assessors were not in a position to 
examine individual cases, no conclusion can be drawn in relation to the effectiveness of 
CDD for this area, beyond noting that it is potentially very high risk business, not least 
due to the difficulty of obtaining independent and reliable verification of the source and 
legitimacy of incoming funds. 

Client Accounts 

114. As is normal, many of the banks operate cliënt accounts, mostly as pooled 
accounts for lawyers, but in some cases also for accountants and at least potentially real 
estate agents. It is included here as a category of potentially high-risk business due to the 
use of such accounts as part of the process of concluding deals for non-resident clients. 
The range of enhanced due diligence applied to cliënt accounts varied across the banks 
interviewed. In all cases, banks stated that they complied with the requirement in the CBC 
Directive to apply CDD measures to all transactions in such pooled accounts above 
EUR15,000, including obtaining documentation in support of each transaction. One bank 
opted to go further, in also requiring the small number of lawyers for whom they operate 
accounts to designate sub-accounts for each cliënt for clarity. In this area, the assessors 
are satisfied that the practices of the banks, in accordance with the requirements specified 
by the Cypriot authorities, are in line with international best practice. However, no view 
is offered on the transactions of the lawyers themselves as this topic is beyond the scope 
of the assessment. 

Bearer shares 

115. According to the banks interviewed, bearer shares (non-Cypriot) still feature in 
some of the structures they have accepted but only a few examples remain, with most 
shares having been registered in recent years. It is to be noted that it is not possible to 
issue shares in bearer form for a Cypriot-registered company. In the few relevant cases, 
the banks explained they have either immobilised the bearer shares themselves by 
maintaining physical custody or, more rarely, rely on a custodian (typically a bank 
outside Cyprus) to provide a written undertaking that they hold custody of the shares. In 
addition, the banks obtain on an annual basis from the beneficial owner a written 
confirmation of changes, if any, relating to the ownership of the bearer shares. The 
assessors welcome the reduction in use of bearer shares. The assessors could not form a 
firm view on the effectiveness of the CDD measures in this case. As described, they 

36 I P a g e 



Strictly Confidential 



appear to depend heavily on the integrity of the beneficial owner and his willingness to 
provide accurate information on the true ownership of the shares and any changes therein, 
particularly changes occurring between the annual reviews. 

Use of cash 

116. Based on the interviews with the banks, the assessors did not find extensive 
evidence of account opening in Cyprus funded by large cash deposits, except for a small 
number of specific cases. In addition to the to-be-expected deposits from cash-generating 
local businesses, a couple of banks highlighted trends in the recent past of Greek residents 
withdrawing funds from the Greek financial system, travelling to Cyprus with cash to be 
deposited in Cypriot banks. A similar practice, though with a different domestic cause 
was reported in the case of Egyptian Coptic Christians. In all cases, the banks confirmed 
that, in accordance with the CBC Directive, they would not accept amounts in excess of 
EUR 10, 000 without the required evidence of declaration to Cypriot customs on arrival 
in the country. In addition, normal CDD procedures are applied and one bank also 
detailed the background checks they conduct to provide comfort that the original source 
of funds/wealth is from legitimate sources. 

High-risk jurisdictions 

117. When questioned on their approach to country or geographical risk , the banks 
generally referred to avoiding business with countries subject to UN sanctions (current 
and, in some cases, historical) and countries on lists published by the FATF as having 
weak AML/CFT requirements. A few banks applied analysis to determine on a risk basis 
some additional countries or regions from which they would not be prepared to accept 
business. In general, however, and reflecting the geographical location of Cyprus, banks 
are open to accepting business globally, and more particularly from most countries in the 
region - in some cases, they have access to local knowledge or are part of a banking 
group that already has a presence in the country of origin of business, placing them in a 
better position to assess country risk. 



118. This section has highlighted a number of individual features of international banking 

business conducted in/through Cyprus, none of which are unique to Cyprus and many of 
which can be found in banking systems worldwide. Reference has also been made in this 
report to the extent to which CDD requirements are specified for these types of higher-risk 



37 I P a g e 



Strictly Confidential 



business in the very comprehensive CBC Directive. In general, and based on detailed 
interviews with the banks rather than direct checking by the assessors, the implementation of 
CDD measures in relation to these risks was seen to be proportionate to the individual risks, 
with a possible exception in the case of one bank. 



119. Nevertheless, the assessors have a residual concern. The combination of a number of 

features associated with international banking business (e.g. introduced business plus 
complex structures plus use of nominees) may in some cases bring the cumulative level of 
inherent risk beyond a level capable of being effectively mitigated by the CDD procedures 
currently being applied. To provide one hypothetical example, in a case where a business 
proposal is received by a bank from a business introducer, in respect of a beneficial owner 
who is not already known to the bank and has just been referred indirectly to the business 
introducer, without face-to-face contact, and contains a proposed structure that includes more 
than one of the elements outlined above (cash collateralised loan, bearer shares, trust and 
nominee structures), the cumulative inherent risk may materially exceed the sum of each 
individual risk element. 



120. A key issue is the extent to which this risk accumulation is recognised by the current 

approach to compliance (based mainly on obtaining documentary evidence for each 
component). In seeking to mitigate the risks it is best practice for a bank to have determined 
in advance its risk appetite for such complexity and to have set predefined limits for business 
acceptance. Another key issue is whether or not controls can be put in place to provide the 
bank with certainty regarding the customer's use of the structures and arrangements thus 
minimising the possibility of: 

abuse of the relationship for ML (including tax evasion) or TF; or 
changes made in beneficial ownership or structures being made without the 
immediate knowledge of the bank. 



121. Therefore, the assessment team considers that the accumulation of high risks 
emanating from the use of complex structures combined with introduced business warrants 
the application of the highest level of enhanced due diligence and, which should be fully 
reflected in the bank-specific assessments. 

122. Concretely banks should as part of their overall risk policy: 

i. Recognise that the accumulation of risks in complex business in itself 
presents overarching risk; 



38 I Page 



Strictly Confidential 



ii. Determine their appetite for such complex business bearing in mind 
whether the bank is in a position to effectively monitor and control the 
cumulative risks sufficiently to mitigate the possibility of abuse for 
purposes of ML (including in respect of tax crimes) and FT; 

iii. Set out the enhanced measures which need to be taken to mitigate these 
overarching risks; 

iv. Specify cases where it is appropriate based on an assessment of the risks 
to reject or terminate a cliënt relationship. 

123. The accumulation of high risks has implications for the CBC's supervisory 
work, in particular in relation to those banks most exposed to such risks. The CBC 
should take these considerations into account and incorporate them appropriately when 
updating the CBC Directive. 

Information on the purpose and intended nature of the business relationship 

124. The banks interviewed explained that information is routinely collected on the 
business and economie profile of a customer at the outset of the business relationship. This is 
in line with the CBC Directive, which set outs a detailed list of information that each bank is 
required to obtain on the customer, including the purpose and reason for opening the account, 
the anticipated account turnover, the nature of transactions and a clear description of the main 
business/professional activities/operations. Examples were provided by banks on the type of 
information and documentation which is generally obtained. Although on the basis of the 
interviews conducted the assessment team was satisfied that banks were sufficiently aware of 
this requirement, some of the banks indicated that one of the shortcomings identified during 
internal audit work and CBC on-site inspections was insufficiënt collection of information on 
the economie profile of certain customer s. 

125. Banks should ensure that the purpose of the business relationship is identified 
and recorded in all cases and that the economie and business profile of high risk 
customers is detailed, meaningful, accurate and regularly updated, where this has not 
already been done. 

Ongoing monitoring 

126. The role of banks' compliance functions with regard to ongoing monitoring and 
implementation of CDD measures can be divided as follows: 



39 I P a g e 



Strictly Confidential 



Systematic transaction monitoring; 

Periodic review, including review of CDD at intervals determined by risk 
classification; 

Bringing CDD for existing customers up to current standards (deficiencies referenced 
earlier in this report). 

127. All banks interviewed indicated that they had in place some means of checking 
transactions against expected activity for a customer and also checking against a set of 
indicators for potential money laundering or terrorist financing. A variety of approaches was 
described to the assessors, with varying degrees of scope, automation, and sophistication. A 
few banks were in the course of developing or expanding their automated systems and appear 
to be currently over-dependent on manual procedures. Almost all of the banks interviewed 
stressed the extent of the work done by their compliance functions, often in conjunction with 
relationship managers, to obtain comfort that individual large transactions are legitimate. The 
assessors were informed that invoices, contracts and other relevant supporting documentation 
is routinely requested from customers and examined for legitimacy before transactions can be 
cleared to proceed. 

128. Without access to customer files, the assessors cannot directly confirm the depth or 
scope of this checking. However, as stated earlier, some banks indicated that one of the 
shortcomings identified by the CBC during on-site inspections was the collection of 
insufficiënt information on the business and economie profile of the customer. The assessors 
believe that such shortcomings, if they are of a more widespread nature, could have a 
significant bearing on the effectiveness of ongoing monitoring conducted by banks. 

129. Furthermore, in view of the significant number of customers categorised as high risk 
by banks in Cyprus, the assessors were advised that automated checking systems can generate 
a high daily volume of alerts requiring attention. Given the substantial number of alerts 
involved, questions arise about the depth of necessary investigation into individual alerts. In a 
high risk environment, this also raises questions on the overall manageability of alert 
clearance, following sufficiently thorough consideration. Indeed, the assessors noted that not 
many cases of ML or TF suspicion are being identified through the automated monitoring 
systems. 

130. Banks should review the resources allocated to the monitoring of high risk 
international business and where necessary increase resources of compliance 
departments to fully investigate and properly review all the alerts raised on high risk 



40 I P a g e 



Strictly Confidential 



accounts. Any banks not already conducting such transaction checking thoroughly 
across the full range of their higher-risk business should be required to improve the 
effectiveness of their implementation. 

131. During the course of the on-site visit, 'Restrictive Measures on Transactions' were 
imposed by the Cypriot authorities to prevent capital flight. The assessment team asked for a 
confirmation from the CBC that no transfers had been carried out in breach of these restrictive 
measures, which was confirmed. Subsequently, media reports alleged that some capital had 
left the country in breach of these controls. In itself, this topic is outside the scope of this 
report. However, if these allegations are subsequently found to have some basis in fact, it may 
also have implications that bear on the effectiveness of ongoing monitoring of accounts, 
particularly if found to be connected to proceeds of crime. 

Politically Exposed Persons 

132. The customer base of some banks includes a significant number of PEPs. In most 
cases, the identification procedure of PEPs consists of a direct question included in the 
account-opening form. Checks are also carried out on various commercial databases and other 
open internet sources. In most cases account-opening forms examined by the assessment team 
did not include questions regarding 'immediate family members' or 'close associates'. 
Identification of such persons is generally dependent solely on the use of a single commercial 
database. 

133. The assessment team concluded that some of the banks do not appear to have 
adequate measures in place to identify cases where an existing customer becomes or is 
subsequently found to be a PEP, despite being a requirement under the CBC Directive. Banks 
informed the assessment team that this situation would be identified as part of annual CDD 
reviews or, in the case of some banks, more frequently. The assessment team considers that 
this would generally be caught only where the cliënt had already been identified as high risk. 
The review procedures for normal risk customers have a much longer time scale, typically 3 
to 5 years. 

134. In most cases the banks interviewed were able to demonstrate the effectiveness of 
their procedures with regard to obtaining information on the source of funds. However, with 
regard to obtaining comfort on the source of wealth, the explanations provided by the banks 
were not always persuasive. One bank indicated that no one had given them a definite answer 



41 I Page 



Strictly Confidential 



on what they ought to do in this respect and considered it beyond their terms of reference to 
enquire. 

135. Banks should strengthen the implementation of due diligence procedures in 
relation to PEPs, particularly when seeking to identify 'family members' and 'close 
associates' of PEPs, ascertaining source of wealth, and identifying customers who 
subsequently become PEPs. These issues may point to a need for the competent 
authorities to issue further guidance on establishing sources of wealth. 

Correspondent banking 

136. Only few banks interviewed reported providing cross-border correspondent banking 
relationships to respondent institutions. Where they exist, 'vostro' accounts are mainly used 
for cross-border payments and foreign exchange. Many of these accounts appear to be held 
for financial institutions situated in countries outside the Euro area. In establishing such 
relationships, information on the business and reputation of the respondent institution is 
generally obtained from "The Bankers' Almanac" and other online commercial databases. 

137. The assessment of the AML/CFT control of respondent institutions is based on a 
questionnaire either developed internally or else based on the questionnaire created by the 
Wolfsberg Group. The establishment of correspondent relationships is in all cases approved 
by the highest level of management. The responsibilities of each institution are set out in the 
formal agreement entered into with the respondent bank. All of the banks providing 
correspondent services advised the assessors that they do not provide the services of 
"payable-through accounts" to respondent institutions. 

138. It is to be noted that the Cypriot legal frame work, contrary to the FATF standards, 
does not require the application of enhanced CDD in relation to correspondent relationships 
established with respondent institutions situated within the European Economie Area. 

Wire transfers 

139. Banks in Cyprus are required to comply with the obligations set out in European 
Union Regulation 1781/2006 on information on the payer accompanying transfers of funds, 
which is directly applicable in all European Union member states. Further guidance is 
provided in the CBC Directive. Although there was no opportunity to inspect the systems 
implemented by banks through files and records, the assessment team was satisfied from the 

42 I P a g e 



Strictly Confidential 



information they were given that all banks interviewed maintain adequate banking systems to 
automatically prevent transfers of funds that are not accompanied by complete information on 
the payer (name, address and account number). Complete information on the payer is verified 
on the basis of information obtained from a reliable and independent source. Most banks 
pointed out that this obligation was applied irrespective of the EUR 1,000 threshold set out in 
the CBC Directive. The majority of wire transfers are carried out from the account of an 
existing customer, where verification of the payer' s identity would have already been carried 
out at the account -opening stage. 

140. For incoming wire transfers, some banks reported that transfers containing 
incomplete information on the payer are automatically identified by the banking systems and 
rejected. Other banks reported that such transfers trigger an automatic report and the 
execution of the transfer is temporarily suspended. Within the suspension period, the bank 
requests the ordering bank to furnish the missing information. Where such a request is not 
satisfied the transfer is rejected. 

141. Incomplete information on the payer is included in the internal procedures of all 
banks as a factor in assessing whether the transfer of funds is suspicious and whether it must 
be reported to MOKAS. However, the evaluation team noted that some banks do not keep a 
record on whether a particular ordering financial institution regularly fails to supply the 
required information on the payer, and to consider restricting or terminating the business 
relationship with such an ordering financial institution. On the other hand, one bank informed 
the evaluation team that an ordering financial institution was reported to MOKAS for the 
repeated failure to provide complete information on the payer and the business relationship 
with that ordering financial institution was terminated. 

Record-keeping measures 

142. All banks indicated that they satisfied record-keeping requirements and it was usual 
for the assessment team to be advised that records are maintained for longer than the 
minimum five year period, with periods of seven years, ten years and indefinitely being 
mentioned. Records are maintained either in paper or electronic form. Paper records were 
maintained either within the banks or in archive facilities. In some cases, banks were 
undertaking projects to scan paper records. 



43 I P a g e 



Strictly Confidential 

143. The CBC confirmed that information was made available promptly during its on-site 
inspections and in response to requests for information during off-site supervision such as 
investigations. MOKAS also confirmed that information was made available promptly. 

Suspicious activity reporting 

144. The assessment team sought to understand the reporting patterns of the banks 
interviewed, since the number and quality of SARs is an indicator of the quality of CDD. In 
general, the banks interviewed appeared to have a sound knowledge and awareness of 
reporting requirements. 

145. Procedures and processes between the banks were similar. Internal reports are 
submitted to the compliance department by all the staff of the banks. These reports are 
investigated and, when the compliance department identifies concrete suspicions, a formal 
report is filed with MOKAS. It was also common for compliance departments to make reports 
to MOKAS not arising from staff reports but through their own monitoring or receipt of 
information from third parties, including the media. The number of SARs reported varied 
between banks. One bank had made 417 SARs to MOKAS from 2010 to 2012, while another 
had made two or three a year during this period. 

146. MOKAS indicated that reports are always accompanied, where relevant, by 
information on the identity of beneficial owners involved in reported transactions, together 
with copies of passports. This appears to indicate that all banks obtain and maintain 
information on the beneficial owner. 

147. Several banks noted that suspected fraud, particularly investment frauds, accounted 
for the majority of reports made to MOKAS. One bank added that corruption in relation to 
Greek business accounted for a number of reports. A majority of SARs appeared to be made 
in relation to business relationships which had been introduced and which included company 
structures. As already noted, the assessment team recommends that where a significant 
number of SARs emanated from a particular business introducer the banks concerned should 
always consider terminating business relations with that introducer. The residence of the 
subjects of the SARs also appeared to be broadly in proportion to the business base of the 
banks, although the suspected money laundering arising from fraud tended to emanate from 
Western European countries rather than from, for example, Russia or Ukraine. No other 
patterns in relation to SARs were reported by the interviewed banks. 



44 I P a g e 



Strictly Confidential 



148. As noted above, tax advantages available in Cyprus account for much of its 
international business. The identification by banks of suspicious activities involving tax and 
the analysis by MOKAS can lead to the identification of money laundering through tax 
crimes and other major predicate offences. In this way the SAR regime can mitigate some of 
the risks inherent in high-volume international business. 

149. The fourth round MONEYVAL report noted that there were no restrictions on the 
reporting of suspicious activities regarding tax. Some tax offences under the Customs Code 
Law 2004 were already predicate offences to ML at the time of the last evaluation, as they 
carried penalties in excess of one year's imprisonment. MOKAS confirmed to the present 
assessment team that they do receive some SARs, but not many, involving tax offences, 
notwithstanding the fact that tax incentives are important in attracting business in Cyprus. Tax 
evasion under the Assessment and Collection of Taxes Law, however, was not a predicate 
offence to ML in 2010. The Cypriot authorities, by an amending law of 21 December 2012, 
raised the maximum penalty for fraudulent omission or delay to pay amounts of tax to the 
level required to render it a predicate offence for ML. Significantly, the Cyprus authorities 
accept that conduct committed abroad which would constitute a predicate offence 
domestically is also within the SAR reporting requirement. Thus, potentially SAR reports can 
now be made in respect of suspicions of foreign tax evasion offences identified particularly in 
international business transactions. Many of the banks and other obliged persons with whom 
the team met were either unaware or unclear about the full implications of these changes. 

150. The competent authorities should amend their directives to explain the new 
provisions on the introduction of tax crimes (including tax evasion) as predicate offences 
to ML. Careful guidance needs to be given on the assessment of risk in this context, 
including on business structures likely to be used for tax evasion purposes. Guidance 
should also be given on the identification of suspicious activities related to domestic and 
foreign tax evasion. The amendments to the directives should be accompanied by awareness- 
raising initiatives by the regulators and MOKAS to ensure that the potential consequences of 
these changes are fully appreciated quickly by the private sector. 

151. MOKAS may wish to consider focussing its analysis on tax-evasion-related ML once 
the new changes have been fully explained to the private sector. Where there is sufficiënt 
evidence, MOKAS will wish to ensure that investigation and prosecution are pursued in this 
area. Since the ML risk in Cyprus may involve tax crimes in foreign jurisdictions, MOKAS 
will wish to give high priority to the provision of relevant information spontaneously to its 
partners in and outside the European Union. 



45 I P a g e 



Strictly Confidential 



152. The team would expect the level of reporting on tax-related ML to increase 
considerably as a result of these developments. 

153. The recent legislative changes may also help to improve Cyprus' domestic success 
rate in stand-alone ML cases, where foreign authorities are able to provide sufficiënt material 
to establish the underlying predicate tax offence in ML proceedings brought in Cyprus. 

154. Overall, the assessment team found the framework for identifying and reporting 
suspicion to be basically sound, although, as noted above, the banks reported that not many 
SARs emanated directly from ongoing monitoring. Given the need for more SAR awareness- 
raising within the banks themselves in the immediate future connected with the recent tax 
changes, there is a need for additional staff training, for which a recommendation is included 
below. 

Staff training on AML/CFT 

155. Banks outlined to the assessors the range of training provided for compliance staff 
and client-facing staff regarding AML/CFT issues. While there were encouraging accounts of 
the use of case studies and particular emphasis on high-risk business, from the range of 
responses, the assessors had some concerns that: 

The amount of time devoted to training of client-facing staff may be insufficiënt; 

In some cases, it appeared that little specialist training had been provided to the 

compliance function staff. 

156. Banks should review their current staff training arrangements, both for client- 
facing staff and for the compliance function, and enhance the training where necessary 
to reflect best practice, taking into account in particular the types of higher-risk 
business that staff are liable to encounter. AII banks should focus training, inter alia, on 
the importance of creating and regularly updating economie and business profiles of 
customers, ongoing monitoring, and the identification of suspicion (particularly in the 
international business context). 



46 I P a g e 



Strictly Confidential 



F. CONCLUSIONS 



157. The assessment team has drawn a number of conclusions on the banking system in 
Cyprus and the effectiveness of the CDD implementation by the banks. The nature of these 
conclusions is twofold. The first set of conclusions relates to the vulnerabilities which are 
inherent within the business conducted by the banks. The second relates to weaknesses 
identified by the assessors in the implementation of CDD measures by banks. 

158. As stated, a significant part of the business conducted by banks in Cyprus is 
international in nature and, commonly, involves the setting up of complex corporate 
structures, with different layers of entities situated in two or more jurisdictions and cross- 
border transactions involving counterparties in different parts of the world. The use of 
nominee shareholders/directors, cliënt accounts and cash collateralised loans are often part of 
such business. Although tax incentives are important in attracting business in Cyprus, not 
many SARs have been submitted by banks with regard to tax-related money laundering. 

159. Furthermore, a large part of the business is introduced to the banks by Cypriot 
lawyers, accountants and ASPs rather than sourced directly. In some cases, the customer is 
not directly introduced to the bank by a Cypriot introducer but through a chain of introducers 
sometimes situated outside Cyprus. 

160. As a result, understanding the rationale behind the business and identifying the 
persons controlling the business may present particular difficulties, despite the banks' best 
efforts to obtain adequate information. Reliance is often placed on the introducer for such 
purposes. Although such reliance is an acceptable mode of satisfying CDD requirements, it 
can present a number of challenges. The bank, in most cases, remains one or more steps 
removed from direct contact with the beneficial owner. Additionally, the level of information 
on the customer is only as good as the quality of CDD documentation and certification 
provided by the introducer and changes in the business structure or the beneficial owner may 
potentially take place without the bank's knowledge. 

161. Overall, it was concluded that while the business carried out in Cyprus is not 
intrinsically different from international business carried out in other jurisdictions, the 
magnitude of the business and the combination of various features which are characteristic of 
the Cypriot regime may raise the degree of cumulative risk to a level that is difficult to 
manage. 



47 I P a g e 



Strictly Confidential 

162. Weaknesses within the effective implementation of CDD requirements, which further 
augment the risk of abuse, were identified. Procedures dealing with ML/FT risk are typically 
based on the risk-categories set out in the CBC Directive rather than on an assessment of the 
real and potential risks posed by the type of customers and services offered by the bank. 
Compliance staff are not always consulted in the process for acceptance of new high-risk 
customers. The business and economie profile of customers is not always detailed enough to 
provide an adequate baseline for meaningful ongoing monitoring. The substantial number of 
alerts generated by automated monitoring systems can be disproportionate to the number of 
staff managing these alerts. The amount of time devoted to training of front-line staff appears 
to be insufficiënt and little specialist training is provided to the compliance function staff. 
Some of the banks do not appear to have adequate measures in place to identify cases where 
an existing customer becomes or is subsequently found to be a PEP. Measures to identify 
'immediate family members' or 'close associates' of PEPs and to obtain information on the 
source of wealth of PEPs are generally weak. Not many SARs are submitted by banks in 
relation to tax-related suspicions of ML. 

163. In light of the vulnerabilities and weaknesses identified by the assessors, various 
recommendations are being made in Section G to ensure expedited and targeted action by the 
banking sector. 



48 I P a g e 



Strictly Confidential 

G. RECOMMENDED ACTION PLAN 



Each recommendation below includes in brackets proposals as to the priority and suggested 
timescale for implementation. 

1. Each bank should combine all of its risk analyses into an overall AML/CFT risk policy 
document, for Board approval, based on a thorough and meaningful consideration which 
should include in particular any risk areas that might not previously have received sufficiënt 
attention. This analysis should be updated on a regular basis. 

Concretely, banks should as part of their overall risk policy: 

i. Recognise that the accumulation of risks in complex business in itself 
presents overarching risk; 

ii. Determine their appetite for such complex business bearing in mind whether 
the bank is in a position to effectively monitor and control the cumulative 
risks sufficiently to mitigate the possibility of abuse for purposes of ML 
(including in respect of tax crimes) and FT; 

iii. Set out the enhanced measures which need to be taken to mitigate these 
overarching risks; 

iv. Specify cases where it is appropriate based on an assessment of the risks to 
reject or terminate a cliënt relationship. 

[High priority - 6 months and ongoing] 

2. In cases in vol ving an accumulation of high risks, particularly where emanating from the use 
of complex structures combined with introduced business, banks should strengthen their 
current procedures in line with their updated risk policy and consistently implement the 
highest level of enhanced due diligence. This could include (as indicated by some banks in 
Cyprus as already their practice in high risk cases) direct contact with the ultimate beneficial 
owner in a larger number of cases. [High priority - 6 months and ongoing] 

3. Banks should implement stricter controls on the use of business introducers to ensure not only 
that the introducer is regulated but also that the introducer's AML/CFT procedures 
are reviewed on an ongoing basis. In accordance with best practice reported to the assessors 
by several banks, where concerns arise on the reliability of CDD conducted by a particular 
business introducer, or a significant number of SARs relate to customers they introducé, 
banks should always consider terminating business relations with the introducer. [High 
priority - 6 months and ongoing} 



49 I P a g e 



Strictly Confidential 



4. When accepting higher risk customers, banks should ensure, where not already the case, that 
ML/FT risk issues are taken fully into account, with the process involving the expertise of the 
compliance function in an enhanced advisory role. [High priority - 6 months and ongoing] 

5. Banks should review the resources allocated to the monitoring of high risk international 
business and where necessary increase resources of compliance departments to fully 
investigate and properly review all the alerts raised on high risk accounts. Any banks not 
already conducting such transaction checking thoroughly across the full range of their higher- 
risk business should be required to improve the effectiveness of their implementation. [High 
priority - ongoing] 

6. Banks should strengthen the implementation of due diligence procedures in relation to PEPs, 
particularly when seeking to identify 'family members' and 'close associates' of PEPs, 
ascertaining source of wealth, and identifying customers who subsequently become PEPs. 
These issues may point to a need for the competent authorities to issue further guidance on 
establishing sources of wealth. [Medium priority - 12 months] 

7. Banks should ensure that the purpose of the business relationship is identified and recorded in 
all cases and that the economie and business profile of high risk customers is detailed, 
meaningful, accurate and regularly updated, where this has not already been done. [Medium 
priority - 6-12 months, risk prioritised] 

8. Banks should update any remaining outstanding CDD in relation to existing customers 
without further delay. [Medium priority - 6-24 months, risk prioritised] 

9. Banks should review their current staff training arrangements, both for client-facing staff and 
for the compliance function, and enhance the training where necessary to reflect best practice, 
taking into account in particular the types of higher-risk business that staff are liable to 
encounter. All banks should focus training, inter alia, on the importance of creating and 
regularly updating economie and business profiles of customers, ongoing monitoring, and the 
identification of suspicion (particularly in the international business context). [Medium 
priority -12 months and ongoing] 

The following supplemental recommendations are included as they are directly relevant to placing 
the banks in a position to implement effective CDD measures: 

10. The competent authorities should amend their directives to explain the new provisions on tax 
crimes (including tax evasion) as predicate offences to ML. Careful guidance needs to be 



50 I P a g e 



Strictly Confidential 



given on the assessment of risk in this context, including on business structures likely to be 
used for tax evasion purposes. Guidance should also be given on the identification of 
suspicious activities related to domestic and foreign tax evasion [Medium priority -6-12 
months] 

11. The accumulation of high risks has implications for the CBC's supervisory work, in particular 
in relation to those banks most exposed to such risks. The CBC should take these 
considerations into account and incorporate them appropriately when updating the CBC 
Directive. [Medium priority - 12 months] 

12. The Company Registry should be provided with the staff and other resources necessary to 
remove the backlog of amendments to company registration documents and to follow up 
unsubmitted annual returns and financial statements. [Medium priority - 12 months] 

13. The supervisory regime for ASPs should be brought fully into effect as quickly as possible 
and the AML/CFT supervision of lawyers and accountants, in their role as business 
introducers, should be further strengthened. [Medium priority - 12 months and ongoing] 



51 IPage 



Strictly Confidential 



GLOSSARY 



Administrative service 
providers (ASPs) 



Persons authorised by CYSEC to pro vide the folio wing services: 

• The managing or directing of trusts; 

• The undertaking or provision of the service of managing 
companies, including but not limited to the managing of 
companies, general or limited partnerships, or other 
organisations with or without separate legal personality and the 
provision of the folio wing services; 

• Providing directors for legal persons; 

• Holding the share capital of legal persons and registering the 
holder in the respective registers of shareholders on behalf of 
legal persons; 

• Provision of address of registered office and /or the official 
mail/electronic address of companies; 

• Provision of other similar services; 

• Opening or managing bank accounts; safe keeping of financial 
instruments on behalf of clients and other related services unless 
this is provided as an ancillary service in the framework of the 
Investment Services and Activities and Regulated Markets Law. 



Bearer shares 



Negotiable instruments that accord ownership in a Corporation to the 
person who possesses the bearer share certificate. 



Beneficial owner 



The natural person(s) who ultimately owns or controls a customer 
and/or the person on whose behalf a transaction is being conducted. It 
also incorporates those persons who exercise ultimate effective control 
over a legal person or arrangement. 



Brass-plate companies 



Legal entities registered in Cyprus with non-resident ownership with no 
physical presence in Cyprus. 



Business introducer 



A lawyer, accountant or an ASP who introducés customers to banks in 
Cyprus and is subject to the AML/CFT requirements of Cypriot Law. 



Competent authorities 



CBC, CYCSEC, CBA, ICPAC and MOKAS 



52 I P a g e 



Strictly Confidential 

Correspondent banking The provision of banking services by one bank (the "correspondent 

bank") to another bank (the "respondent bank"). Large international 
banks typically act as correspondents for thousands of other banks 
around the world. Respondent banks may be provided with a wide 
range of services, including cash management (e.g. interest-bearing 
accounts in a variety of currencies), international wire transfers of funds, 
cheque clearing, payable-through accounts and foreign exchange 
services. 

Measures set out in Recommendation 5 of the FATF Recommendations 
to be applied by financial institutions before establishing a business 
relationship with a customer and on an ongoing basis thereafter, for the 
purpose of, inter alia, identifying and verifying the identity of a 
prospective customer, obtaining information on the nature and purpose 
of the prospective business relationship and monitoring the business 
relationship after its establishment. 

Designated non -financial Designated non-financial businesses and professions means: 
businesses and professions a) Casinos (which also includes internet casinos). 
(DNFBPs) b) Real estate agents. 

c) Dealers in precious metais. 

d) Dealers in precious stones. 

e) Lawyers, notaries, other independent legal professionals and 
accountants - this refers to sole practitioners, partners or 
employed professionals within professional firms. It is not 
meant to refer to 'internal' professionals that are employees of 
other types of businesses, nor to professionals working for 
government agencies, who may already be subject to measures 
that would combat money laundering. 

f) Trust and Company Service Providers refers to all persons or 
businesses that are not covered elsewhere under these 
Recommendations, and which as a business, provide any of the 
folio wing services to third parties: 

• acting as a formation agent of legal persons; 

• acting as (or arranging for another person to act as) a 



Customer Due Diligence 
(CDD) 



53 I Page 



Strictly Confidential 



director or secretary of a company, a partner of a 
partnership, or a similar position in relation to other legal 
persons; 

• providing a registered office; business address or 
accommodation, correspondence or administrative address 
for a company, a partnership or any other legal person or 
arrangement; 

• acting as (or arranging for another person to act as) a 
trustee of an express trust; 

• acting as (or arranging for another person to act as) a 
nominee shareholder for another person. 

FATF Recommendations The 2003 Forty Recommendations and the Nine Special 

Recommendations on Terrorist Financing. 



Financial Action Task 
Force (FATF) 



An inter-governmental policymaking body whose purpose is to establish 
international standards, and to develop and promote policies, both at 
national and international le veis, to combat money laundering and the 
financing of terrorism. 



Financial Intelligence Unit 
(FIU) 



Recommendation 26 of the FATF Recommendations requires countries 
to establish a FIU that serves as a national centre for the receiving (and, 
as permitted, requesting), analysis and dissemination of STR and other 
information regarding potential money laundering or terrorist financing. 
The FIU should have access, directly or indirectly, on a timely basis to 
the Financial, administrative and law enforcement information that it 
requires to proper ly undertake its functions, including the analysis of 
STR. 



MOKAS 



The Cypriot FIU 



Payable-through accounts Correspondent accounts that are used directly by third parties to transact 

business on their own behalf. 



Politically Exposed 
Persons (PEPs) 



Individuals who are or have been entrusted with prominent public 
functions in a foreign country, for example Heads of State or of 



54 I P a g e 



Strictly Confidential 



government, senior politicians, senior government, judicial or military 
officials, senior executives of state owned corporations, important 
political party officials. Business relationships with family members or 
close associates of PEPs involve reputational risks similar to those with 
PEPs themselves. The definition is not intended to cover middle ranking 
or more junior individuals in the foregoing categories. 



Predicate offence 



The underlying criminal activity that generates funds to be laundered. 



Suspicious Activity 
Reports (SARs) 



Recommendation 13 of the FATF Recommendations requires financial 
institutions to report to the FIU when they suspect or have reasonable 
grounds to suspect that funds are the proceeds of a criminal activity. 



Wire transfers Any transaction carried out on behalf of an originator person (both 

natural and legal) through a financial institution by electronic means 
with a view to making an amount of money available to a beneficiary 
person at another financial institution. The originator and the beneficiary 
may be the same person. 



55 I P a g e 



Strictly Confidential 



ANNEX 1 




EUROGROUP WORKING GROUP 



The President 



Brussels, 09 March2013 
ecfm.cef.cpe(2013)384422 



Dear Mr. Ringguth, 

Cypms lias requested fmancial assistance from the euro area in 201 1, and the Eurogroup is 
now targeting political cndorscmcnt of such assistance around the second half of March. 

As part of the preparations for an adjustment programme that would underpin the assistance, 
the finance ministers of the euro area have agreed with Cyprus on commissioning an independent 
evaluation of the implementation of the anti-money laundering framework in Cypriot fïnancial 
institutions. Since the available timeframe is regrettably tight, convincing progress on this 
evaluation would need to be made at an unusually accelerated pace. 

I understand that the Troika institutions (the European Commission, ECB and IMF) and 
Cyprus have agreed that Moneyval's participation in this process would be invaluable. I would 
like to express my support for such an approach in view of Moneyval's widely recognised 
expertise in this field. 

Specifically, one would envisage Moneyval conducting an assessment of whether customer 
due diligence (CDD) requirements are effectively implemented in the banking sector. This 
assessment would follow the FATF methodology, and could be carried out in collaboration with 
international experts. 

As chairman of the Eurogroup Working Group, I would very mueh appreciate if you could 
sigual at the earliest opportunity whether Moneyval can consider undertakiug such an evaluation. 
In case the reply is favourable, I would request that you contact the Central Bank of Cyprus to 
agree on the practicalities of the next steps. 



Yours sincerely, 




Thomas Wieser 

Mr. Mr John RINGGUTH 

Executive Secretary to MONEYVAL 
Councü of Europe 

67075 Strasbourg CEDEX, FRANCE 
j ohn . n u g gut h <fb c o e . int 



56 I P a g e 



Strictly Confidential 



ANNEX 2 



Secretarjat General 

dlrectorate general 
human rlghts and rule of law 

COUNCIl CON5EIL 

MONEYVAL of euhope de l-europe 




Please quote: DGI/JR/cg 

Mr Thomas Wieser 
President 

Eurogroup Working Group 
European Commission 
Rue de fa Loi, 170 
1040-Bruxelles 

Strasbourg, 12 March 2013 



Dear Mr Wieser, 

Thank you for your letter of 9 March. 

I confirm that MONEYVAL is prepared to conducf such an assessment on an exceptional basis I 
expect the terms of reference will be agreed today 

We hope to be able to begin our work in Cyprus on 19 March. 
t'ours sincerely, 




John Ringguth ' 
Executive Secretary to MONEYVAL 



F-67075 Strasbourg Cedex Fax: +33 (0)3 88 41 30 17 r,„ D ,//www.coe in.M.nn^. 



57 I P a g e 



Strictly Confidential 



Annex 3 

Key elements for a third party AML audit of the effective implementation of CDD 

MEASURES WITH REGARD TO DEPOSITS AND LOANS 

Objective : 

Assess whether Customer Due Diligence (CDD) requirements are effectively implemented in 
accordance with the Cypriot legal frame work 11 and international standards for a meaningful share of 
the banking system's balance sheet. Assessment should also be made about the level and composition 
of foreign-related deposits and loans in Cypriot credit institutions. 

Scope : 

• Moneyval in collaboration with international experts will conduct an assessment, according to 
the FATF 2003 Recommendations and 2004 Methodology, of the CDD compliance in the banking 
sector, Moneyval will focus on the effectiveness of implementation. 

• An independent auditor will focus on the measures implemented by the credit institutions to 
prevent criminals from being the beneficial owners of customer deposits in, or loans from, Cypriot 
credit institutions. 

All credit institutions 12 , over a threshold of EUR 2 billion of total deposits (by end-2012) 
should be included in the exercise. 

Sampling modalities to achieve the audit's general objectives will be approved by the CBC 
and the programme partners. 

The exercise will focus on stocks (deposits and loans) rather than flows (transfers from and to 
Cyprus). However, in the context of the analysis of stocks, the auditor will have to ensure that credit 
institutions have adequate knowledge of the origin and destination of funds. 

Because of time constraints, this audit will not cover the adequacy of the internal systems in 
place in credit institutions to detect ML/TF. 

This audit will also contain an analysis of the breakdown of deposits made and loans granted 
by i) country of residence, and ii) by country of origin, for both the owners and beneficial owners. 

The data collected will be used solely for the exercise of this implementation review. 



11 The 2007 AML Law and the 2008 Central Bank of Cyprus (CBC) Directive on the prevention of money laundering and 
terrorism financing 

12 As defined bin Art. 2.1(1) of the Third Anti-Money Laundering Directive, 2005/60/EC 



58 I Page 



Strictly Confidential 



Methodology/Sampling : 

The audited institutions will present the auditor with a breakdown of deposits made and loans 
granted by i) country of residence, and ii) country of origin, for both the owners and beneficial 
owners, as well as the individual share and origin of the top 100 owners and borrowers. 
MoneyVal and the independent auditor will be granted access to all the information necessary to 
perform their respective tasks. 

Process : 

The auditor will perform this work in order to: 

- Ensure that customers were identified and that their identity was adequately verified. 

- Ensure that beneficial owners were identified and that reasonable measures were taken to verify 
their identity. 

- Ensure that the purpose and intended nature of the business relationship was understood and 
documented. 

- Ensure that ongoing due diligence was conducted. 

- Ensure that customers designated as higher risk were effectively subject to enhanced due 
diligence. 

- Ensure that unusual and/or suspicious activities/transactions on the accounts, are properly 
detected and recorded. 

- Ensure that other customers and beneficial owners were risk rated and that enhanced CDD 
measures were applied. 

- The auditor will not perform any investigations, but will analyze the information provided by 
each bank in light of the legal framework and best practices, including with regard to risk profile. 

Output : 

By March 27, 2013 Moneyval and the auditor will prepare preliminary key findings on the overall 
credit sector's level of compliance with the AML legal framework. These findings will not contain 
any confidential information and will only be shared within Moneyval, the auditor, the CBC and 
programme partners (EC/ECB/IMF). 

Upon completion of the work, Moneyval will present its assessment of the compliance with CDD 
measures against the FATF standards, focussing on effectiveness of implementation. Moneyval 
will also sumbit main findings and recommendation with this assessment. The results will be 
taken into account in Moneyval's own processes in the future. 



To be agreed with the contractor, but likely to involve on-site meeting with the CBC and credit institutions. 



59 I P a g e 



Strictly Confidential 



The auditor will present a report containing comments and conclusions with regard to both the 
overall credit sector's and individual institutions' level of compliance with the Cypriot legislation 
on CDD. The report should present quantitative data on the level and breakdown of deposits 
made by and loans granted to foreign nationals, and indicate the extent to which this data is 
reliable (e.g. if beneficial ownership information is not properly verified, the quantitative data 
might not be comprehensive). 

For each bank, the auditor will also provide an individual report listing customers in the sample 
and related CDD compliance analysis (allocating a number by customer in order to preserve 
confidentiality). 

The auditor will cross -check the information received from the bank under 1. above with the 
results of its work. 



The relevant reports from Money val and the auditor should be delivered to the CBC as well as to 
the Minister of Finance and to the programme partners by March 31, 2013. The programme 
partners will report to the Eurogroup on the level of implementation of preventive measures by 
fmancial institutions, based on the fmdings of Moneyval's and the auditor's reports. 



Contracting : 



The work will be carried out as follows: i) the CBC will commission an independent auditor of the 
utmost integrity who would be bound by the provisions of the CBC Law, and in particular by the 
provisions for professional secrecy therein; and ii) the President of Eurogroup Working Group will 
make a request for an assessment by MONEYVAL which could include international experts. The 
independent auditor should be agreed by CBC and programme partners. The auditor will be 
contracted, in full respect of EU public procurement rules 14 .Preference should be given to an auditor 
with no existing business relationship with the Cypriot government, related agencies, or Cypriot 
financial institutions. 



According to Directive 2004/1 8/EC the accelerated procedure set out in in Art.38.8a allows for a shortened tender 
procedure (10 days if the notice was sent by electronic means, in accordance with the format and procedure for sending 
notices indicates in point 3 of annex VIII of the Directive). The dates indicated above are based on the work of the auditor 
starting on March 19. 



60 I P a g e 



Strictly Confidential 



ANNEX 4 

The Fourth Round MONEYVAL Assessment of Cyprus 

1. As a member of the Council of Europe, Cyprus is subject to MONEYVAL's evaluation 
process which assesses countries' compliance with the FATF Recommendations. At the time 
of this assessment, the last evaluation of Cyprus had been carried out in June 2010 (report 
adopted on 27 th September 2011) under MONEYVAL's fourth evaluation round. 15 This 
section of the report provides an overview of the findings related to Customer Due Diligence 
and other related measures set out in the fourth round Mutual Evaluation Report (MER) of 
Cyprus. It is to be noted that the assessment of preventive measures was not based on an 
assessment of the banking sector only, as is the case in the current assessment, but on the 
financial sector as a whole. 

2. Under the fourth round assessment, the legal provisions in the Cypriot AML Law providing 
for the application of CDD requirements were found to be broadly in place. A few minor 
technical shortcomings were identified which mainly related to issues arising as a result of the 
slight non-alignment between Directive 2005/60/EC and the FATF Standards on simplified 
CDD and the treatment of correspondent banking relationships with respondent banks situated 
in a member state of the European Union. In terms of the effective application of CDD 
requirements by the financial sector, the evaluators noted that although awareness and 
understanding of the CDD obligations were generally sound, certain sectors, particularly the 
insurance and the money/value transfer sectors, displayed a weak understanding of the 
concept of beneficial ownership, especially insofar as the identification of beneficial owners 
of a foreign legal entity or arrangement is concerned. Potential effectiveness issues were also 
noted with respect to the identification and verification procedures of legal entities registered 
with the Registrar of Companies in Cyprus due to the incomplete data which was available at 
the registry. 

3. The evaluators also noted that the AML Law sufficiently covered the requirements dealing 
with politically-exposed persons (PEPs), although various minor deficiencies were identified. 
The definition of a PEP was found not to extend to foreign PEPs residing in Cyprus and the 
application of PEP-related measures did not cover beneficial owners. Furthermore, the 

15 MONEYVAL is the only AML/CFT assessment body conducting a follow-up round of assessments following the 
conclusion of the third round of global evaluations under the 2003 FATF Standards. This follow-up round is a partial re- 
assessment of the effectiveness of implementation of some, but not all, of the 2003 FATF Standards, namely R. 1,3, 4, 5, 10, 
13, 17, 23, 26, 29, 30, 31, 35, 36, 40, SR I, II, III, IV and V, as well as those other FATF recommendations rated non- 
compliant or partially compliant in the third round. As such, comparisons between third round results and fourth results may 
be misleading. 



61 I Page 



Strictly Confidential 



requirement to obtain senior management approval to continue a business relationship where 
an existing customer is found to be or subsequently becomes a PEP was not provided for in 
the law. However, the evaluators concluded that the practical application of PEP requirements 
appeared to be effective, despite the strong reliance on commercial databases to identify 
PEPs. 

4. Measures related to record-keeping were considered to be compliant with the FATF 
standards. In practice, financial institutions went beyond the five-year record-keeping period 
and it appeared that no difficulties had been experienced by competent authorities in 
obtaining the recorded information in a timely manner. Positive findings were also reported in 
relation to the application of wire -transfer rules. Financial institutions met by the evaluators 
appeared to have an adequate level of awareness of the measures which are required to be 
applied. 

5. With regard to the reporting regime, the evaluators observed that financial institutions 
focussed their resources on the risks emanating from international business, which as noted 
elsewhere in this report is prevalent in Cyprus. In fact, the large majority of SARs filed with 
MOKAS related to non-resident customers. Although the level of reporting appeared to be 
satisfactory, most SARs were submitted by banks. The other financial institutions were less 
active in this area. 

6. The AML/CFT supervisory structure was found to be broadly sound. AU the necessary 
powers to perform supervisory functions were largely in place. Nevertheless, concerns were 
raised regarding the absence of a risk-based approach to supervision by some supervisory 
authorities and the noticeable decrease in the number of on-site inspections carried out. 
Additionally, the overall number of sanctions imposed for AML/CFT breaches appeared to be 
low in proportion to the size of the financial sector. 

7. The evaluators determined that compliance with DNFBP requirements was not adequate. 
Although Trust and Company Service Providers were required to comply with the provisions 
of the AML Law, they were still unregulated at the time of the assessment. Moreover, the 
scope of application of the AML Law to the accountancy profession did not appear to 
adequately cover all the activities included in the FATF Standards. Weaknesses were noted in 
the effective application of CDD measures in relation to the identification of beneficial 
owners. A low level of STR reporting was also identified. With regard to the supervision of 
designated non-financial businesses and professions (DNFBPs), various shortcomings were 
identified. In particular, the evaluators found insufficiënt evidence to conclude that effective 



62 I P a g e 



Strictly Confidential 



supervision had been carried out, mainly as a result of a lack of resources. Additionally, no 
sanctions had been imposed on DNFBPs for failure to comply with AML/CFT requirements. 

Action by Cyprus since the fourth round 

8. Cyprus is due to present an update in December 2013 to the MONEY VAL plenary. 

9. Information provided for the purposes of this assessment of CDD measures in the banking 
sector shows that the AML Law has not yet been amended since the fourth round 
MONEYVAL assessment. Thus, the technical compliance issues found in the MER have not 
been addressed. However, this assessment team was informed that a draft bill amending the 
AML Law, which is to be presented to parliament shortly, contains a number of changes: 

10. Clarifying that third parties on which banks are authorised to rely may operate in the Cypriot 
republic or in other countries of the European Economie Area; 

a. Revising the provisions dealing with simplified CDD measures to address the 
deficiencies identified in the fourth round MONEYVAL report, which permitted 
banks and other financial institutions not to apply any form of CDD measures with 
respect to certain categories of customers and products; 

b. Amending the definition of a PEP to cover foreign PEPs residing in Cyprus. 

11. The new legal provisions do not address the following deficiencies identified by the fourth 
round evaluators: 

a. Requiring senior management approval in those cases where an existing customer 
becomes or is subsequently found to be a PEP (for the insurance sector); 

b. Require the implementation of a risk-based procedures to determine whether the 
beneficial owner of a business relationship or transaction is a PEP (for the insurance 
sector); 

c. Requiring banks and other financial institutions to establish the source of wealth and 
source of funds in all circumstances; 

d. It is noted that the draft provisions do not appear to address the issue of domestic 
PEPs as required under the revised FATF Recommendations (2012). 

12. The Company Registrar advised the present assessment team that the registry moved to an 
electronic system of company formation from the end of 2012. The new IT system is 
expected to release staff to deal with the backlog of non-updated information. The registrar 
anticipates that the registry will be in a stronger position by the end of 2014. 



63 I P a g e 



Strictly Confidential 



ANNEX 5 

Supervision of Banks 

1. According to the AML/CFT Law, the Central Bank of Cyprus (CBC) is responsible for the 
AML/CFT supervision of banks. 

2. The Banking Supervision & Regulation Department of the CBC includes an AML/CFT 
inspection team responsible for the AML/CFT off-site and on-site supervision. The CBC 
indicated to the assessors that a decision has been made to increase the staff complement of 
the AML/CFT inspection team. 

3. The CBC has developed a risk-based methodology for off-site and on-site monitoring 
compliance with AML/CFT requirements by banks. A risk assessment is performed by the 
CBC during the first weeks of each year with a view to establishing its supervisory program. 
On this basis, the CBC places more emphasis on banks which carry out sizeable international 
business activities. Each bank is assessed with regard to the risks that it is exposed to, taking 
into account its size, complexity and nature of the business. For instance, on the basis of the 
assessment by the Advisory Authority against Money Laundering and Terrorist Financing that 
the main risks for Cyprus emanate from the international business activities at the layering 
stage, the CBC decided to give more emphasis in the framework of its supervisory plan for 
the year 2012 to banks which carry out sizeable international business activities. 

4. The decision as to which financial institutions will be examined is also influenced by the 
findings of previous examinations, by the date of the last on site examination, as well as by 
information (financial and non-financial) collected during off-site monitoring. A priority 
ranking for inspections is then defined. For each bank included in the list of inspections for 
the year, the CBC determines which units/departments need to be visited. According to the 
Cypriot authorities, the accuracy of decisions made by the CBC regarding its AML/CFT 
inspection programme is facilitated by the relatively limited number of Cypriot banks and is 
also based on close knowledge of each bank by the Supervision Department. 

5. Off-site supervision: Banks are required by the CBC to report monthly data regarding large 
cash deposits from customers, large incoming and outgoing fund transfers, the number of 
internal reports submi tted to the Money Laundering Compliance Officer (MLCO), and the 
number of suspicious activity reports sent to MOKAS. Moreover, the off-site examination is 
also based on more qualitative information contained in the annual activity report that the 



64 I P a g e 



Strictly Confidential 



MLCO of each bank is required to submit to the Board of Directors and forwarded to the 
CBC. This includes, inter alia, information relating to inspections and reviews performed by 
the MLCO and the bank's Internal Audit Unit, the material deficiencies and weaknesses 
identified in the bank's AML/CFT policies, procedures and controls applied by the bank in 
relation to high risk customers, as well as information regarding the number and 
characteristics of high risk customers (companies with bearer shares, trusts, politically 
exposed persons, etc), the systems and procedures applied by the bank for the on-going 
monitoring of accounts and transactions, the training attended by the MLCO team as well as 
provided to the bank's staff, and the structure and staffmg of the MLCO's section. The off-site 
supervision is also based on regular meetings with Senior Management, Internal Auditor, and 
MLCO of banks. In addition, external information obtained through the cooperation with 
other supervisory authorities, the law enforcement authorities and MOKAS constitute other 
important bases for the off-site supervision. This is complemented by review of public 
sources of information (including the local and foreign press). Information and alerts coming 
from other businesses or the public are also taken into consideration. 

6. The information received is assessed to ensure banks' compliance with the legal and 
regulatory framework, allowing the CBC to identify outliers requiring closer attention with 
the aim to foster compliance improvements, as well as to identify priority areas for 
supervisory planning in the banking sector. 

7. On-site supervision: When an on-site inspection is about to be conducted, the bank concerned 
is informed of this in advance in writing. The notification letter lists the detailed information 
that must be made available to the inspectors. The extent of the required information depends 
on the characteristics of the inspected bank and the precise object of the on-site inspection. 
Ho wever, such required information typically includes: detailed information regarding the 
customers, accounts and business relationships, information regarding the AML/CFT 
structure, organisation, policy and procedures of the bank, the AML/CFT policy and 
procedures for account opening, the on-going monitoring system in place (IT system, risk 
indicators, the related procedural manual), the last audit reports regarding the compliance 
function, the annual compliance program, and the reports by the MLCO regarding controls 
conducted over the two last years, the internal reports of ML/TF suspicions made by 
employees to the MLCO and the SAR transmitted by the MLCO to MOKAS over the three 
last years. 

8. The on-site inspections cover the examination of the compliance of the AML/CFT measures 
in place with all applicable legal and regulatory requirements as well as the evaluation of the 



65 I P a g e 



Strictly Confidential 



effectiveness of their implementation through sample testing. The CBC developed an 
examination program ("AML Audit Program Banks" and "Checklist Customer Due 
Diligence") that incorporates a review of all the legally-required AML/CFT elements. 

9. Findings made during the inspections are detailed in a written report that also contains 
recommendations for the bank and identifies, where necessary, corrective measures to be 
implemented within a fixed time frame. The bank is required to report periodically to the 
CBC on the progress made in the effective implementation of these measures. 

10. Over the last 5 years, the number of on-site inspections (including both focussed visits and 
full scale inspections with an AML/CFT element) is as follows: 



Year 


Number of 
inspections 


2012 


4 16 


2011 


10 


2010 


8 


2009 


11 


2008 


18 



16 The Cypriot authorities pointed out that the comparatively lower number of on-site inspections in 2012 by the CBC was the result of the 
increased workload arising out of the Cypriot Presidency of the Council of the European Union in the second half of 2012 and CBC 
interaction with the Eurogroup in view of the financial assistance programme. 



66 I P a g e 



Strictly Confidential 



ANNEX 6 

Supervision of ASPs, Lawyers and Accountants for AML/CFT Purposes 

Cyprus Securities and Exchange Commission 

1. CYSEC is responsible for enforcing compliance with the Law Regulating Companies 
Providing Administrative Services and Related Matters of 2012. The law came into force in 
December 2012 and covers all persons providing administration services other than firms of 
lawyers regulated by the Cyprus Bar Association and accountants regulated by ICPAC 
(ASPs). 

2. Administrative services are defined by section 4 of the law as being: 

a. The managing or directing of trusts; 

b. The undertaking or provision of the service of managing companies, including but not 
limited to the managing of companies, general or limited partnerships, or other 
organisations with or without separate legal personality and the provision of the 
folio wing services; 

c. Providing directors for legal persons; 

d. Holding the share capital of legal persons and registering the holder in the respective 
registers of shareholders on behalf of legal persons; 

e. Provision of address of registered office and /or the official mail/electronic address of 
companies; 

f. Provision of other similar services; 

g. Opening or managing bank accounts; 

h. Safe keeping of financial instruments on behalf of clients and other related services 
unless this is provided as an ancillary service in the framework of the Investment 
Services and Activities and Regulated Markets Law. 

3. There are some exemptions to the services covered by the law, including the holding of up to 
10 directorships. This figure was reached after a mapping exercise. 

4. Subject to these exemptions, persons currently undertaking administrative services and 
requiring to be licensed had to pro vide a notification to CYSEC by 21 February 2013. All 
applications for authorisation by existing businesses need to be made by 21 June 2013. The 
purpose of the notification requirement was to provide CYSEC with basic information on the 
existence of each firm, their business activities and their cliënt base so that it could 



67 I P a g e 



Strictly Confidential 



understand the potential scope of its regulated constituency. In total CYSEC received 320 
notifications. Following receipt of these notifications, CYSEC had expected seom 250 firms 
to make a formal application for authorization. CYSEC now expects a much smaller 
constituency of authorised businesses. The period between notification and the deadline for 
applications will allow firms to take steps to become compliant with the legislation or cease 
doing business or understand that in practice it need not apply for authorisation. For example, 
sole practitioners cannot be authorised and must therefore restructure the business so that it is 
undertaken by a legal person. Some firms are withdrawing from the business. To date five 
applications have been received and two authorisations issued. 

5. When dealing with applications CYSEC undertakes a screening process for shareholders and 
directors, reviews the responses to a detailed questionnaire and the AML/CFT procedures 
manual which is required. There is a fit and proper test. Firms are also required to appoint an 
internal AML compliance officer and either appoint an internal lawyer or establish a 
relationship with an external firm of lawyers. No outsourcing outside Cyprus is permitted. 
CYSEC will have two years from the 21 June deadline to resolve all applications received by 
that date. This potentially allows some ASPs a two year transitional period to undertake their 
business before their applications are resolved. 

6. In practice information about the ASP sector remains very limited. The largest employer has 
some 180 staff. It is estimated by CYSEC that five ASPs have more than 100 staff. Many 
firms have five or fewer staff. CYSEC considers that the lawyer, accountancy and ASP 
sectors are approximately similar in size. CYSEC is not yet in an informed position to 
understand the business models and customer base of ASPs to any great degree or the ML/FT 
risk profile of the ASP sector. It is currently working on a ML/FT risk assessment project. A 
firm of consultants has been chosen to provide software for assessing the risk profile of ASPs. 
CYSEC intends to undertake a risk based approach to supervision and confirmed that it will 
use off-site supervision to inform its on-site inspection programme. No decision has been 
taken on how many on-site inspections will be undertaken but the preliminary thinking is that 
one third of authorised persons will be inspected each year. It was clear to the review team 
that CYSEC is taking its job of supervising the ASP sector seriously. 

7. The day to day work of supervision will be carried out by an existing department of 
supervisors which is already responsible for investment supervision. Legal challenges will be 
taken forward by the legal department. It is considered that, as the ASP regime is an 
AML/CFT regime, it will be less onerous than investment supervision. However, if the initial 
estimate of 250 authorised ASPs is correct, this would mean over 80 on-site inspections a 



68 I P a g e 



Strictly Confidential 



year would need to be undertaken by a team already undertaking supervision of investment 
entities. The review team considers that CYSEC has underestimated the amount of work 
necessary to undertake a programme of on-site and off-site supervision, together with 
associated work, for 250 authorised entities. It will also be important for CYSEC to 
commence its programme of inspections as soon as possible after the deadline for applications 
has passed and, at latest, in the fourth quarter of 2013. 

Cyprus Bar Association 

8. The supervisory body for lawyers is the Cyprus Bar Association (CBA). The CBA maintains 
three registers, namely a register for practising lawyers, a register of firms and a register of 
lawyers engaging in administrative service provider work. There are some 2,500 practising 
advocates. To date some 270 firms have been registered with the CBA to provide trust and 
corporate services. The CBA expects this figure to rise to 500. 

9. The CBA has issued a comprehensive directive on the prevention of money laundering and 
terrorist financing to its members. The directive lays down the AML/CFT obligations of 
lawyers. 

10. Lawyers are required to conduct customer due diligence when forming companies. 

11. In conducting on-site inspections the CBA has focussed on the largest firms while being 
mindful of the risks posed by small firms. Three hundred and seventy seven on-site 
inspections have been undertaken since 2010 when the AML/CFT regime was established. 
The CBA is moving towards a formal risk based approach, which is expected to be finalised 
in April. 

12. Most business relationships seen during inspections involve holding companies, mainly 
holding real estate. There are some trading companies. A few firms of lawyers specialise in 
forming and administering ship management companies. 

13. The CBA considered that adequate customer due diligence on the beneficial ownership of 
cliënt structures is carried out. Only one structure including bearer shares had been seen 
during on-site inspections. Customer due diligence in relation to PEPs is thought to be good. 
Some business relationships include general or specific powers of attorney authorised by the 
directors of cliënt companies. General powers of attorney are less common than specific 
powers of attorney. The CBA sees the former as high risk. Customer due diligence is 



69 I P a g e 



Strictly Confidential 



undertaken on the persons to whom the power is provided. From the CBA perspective, banks 
do conduct customer due diligence on lawyers acting as introducers; in addition, lawyers 
maintain complete customer due diligence in their offices and do not themselves rely on third 
parties. 

14. The compliance team at the CBA comprises two staff. They conduct all of the on-site 
inspections. No sanctions have been issued except for 10 warning letters. Remedial action is 
required by firms within specified deadlines. Confirmation is not explicitly required by firms 
at the expiry of a deadline that remediation has been completed. The adequacy of remediation 
is checked when follow-up on-site inspections are carried out. However, it seems not to be 
Standard practice to deliver a written report after each inspection, which complicates the 
remediation. 

15. The CBA is taking its role as an AML/CFT supervisory authority seriously. Nevertheless, an 
increase in the number of staff engaged in AML/CFT supervision (as is already planned) 
would allow a comprehensive risk based approach to be undertaken to on-site and off-site 
supervision. Also, the issue of ten warning letters, absence of Standard written reports and no 
other sanctions after 377 on-site inspections suggests that the approach to sanctions should be 
recalibrated. 

Institute of Certified Public Accountants of Cyprus 

16. The competent authority for regulating the accounting profession in Cyprus is the Institute of 
Certified Public Accountants (ICPAC). ICPAC has more than 3,300 professional accountants 
of which 850 are practising members. Most of the practising members provide their services 
through one of the 540 accountancy firms. ICPAC has sub-contracted the quality control 
function of accountants and accountancy firms to the Association of Chartered Certified 
Accountants (ACCA) in the United Kingdom. The outsourcing agreement includes amongst 
others items the examination of AML procedures (amongst other regulatory requirements). 
While recognizing the potential merits of this arrangement, MONEYVAL recommended in 
its 4 th Round report that the Cyprus authorities should provide for a legal basis for this 
outsourcing of the quality control function to ACCA. This recommendation has not been 
implemented so far. 

17. According to ICPAC all licensees have been subject to ACCA inspections at least once over 
the last six years. According to the ICPAC representatives those inspections took on average 
one to two days depending on the business size of the license holder. It has to be stressed that 



70 I P a g e 



Strictly Confidential 



the quality of the AML/CFT controls is just one of several components that are examined at 
the occasion of these inspections (other components mainly relate to compliance with 
company law requirements). The net time dedicated to the AML/CFT component could not 
be clearly established. 

18. According to ICPAC representatives the inspections comprise both the examination of 
internal procedures, policies and controls in place as well as an examination of the effective 
implementation by reviewing a sample of customer files. However, the content of these 
examinations appears to be mainly driven by the professional standards applied by ACCA. 
The particularities and specific risks faced by Cyprus appear not to be adequately taken into 
account in the AML/CFT inspection programme. Furthermore, the information received by 
ICPAC on the results of the inspections carried out by ACCA appears to be limited. 

19. ICPAC representatives informed the evaluation team that no sanctions or written warnings 
have been imposed so far, as a result of the onsite inspections carried out by ACCA. In the 
case that ACCA identifies deficiencies in the AML/CFT controls of inspected licensees, they 
are regularly requested to remedy those shortcomings within a given timeframe. 

20. The evaluation team was informed that a recent amendment of the Auditors Law introduced a 
separate licensing category for accountants or accountancy firms providing administrative 
services. The amendments became effective on 1 January 2013. As of July 2013 accountants 
not holding such a certificate cease to be entitled to provide administrative services. A 
separate register for these licensees will be kept and will be available on the website of 
CYSEC. 

21. In response to this development, ICPAC intends to adapt its supervisory activities. ICPAC 
informed the evaluation team that the quality control function outsourced to ACCA will be 
redesigned. A more tailor-made AML review for this new licensing category will be 
established. According to ICPAC these licensees will be subject to ACCA inspections at least 
once every three years. According to ICPAC representatives this supervision cycle and the 
content of the examination will be modelled on the supervisory approach by CYSEC. 

22. ICPAC has issued a comprehensive Directive outlining the AML/CFT requirements for its 
members. The Directive has been revised in December 2011 folio wing the revision of the 
Cypriot AML/CFT Law. ICPAC also regularly provides comprehensive AML/CFT training 
to its members. The level of suspicious activity reporting by accountants appears to be very 
low. 



71 I Page 



Strictly Confidential 



23. Overall, the evaluation team takes the view that the AML/CFT supervision of the 
accountancy sector needs further strengthening. The measures envisaged following the 
introduction of a separate licensing category for accountants or accountancy firms providing 
adrninistrative services appear to point in the right direction. 



72 I P a g e 



Strictly Confidential 



ANNEX 7 

The Company Registry 

1. The Department of Registrar of Companies and Official Receiver is part of the Ministry of 
Commerce, Industry and Tourism. It registers companies, limited partnerships, general 
partnerships, business names, and branches of foreign companies undertaking business in 
Cyprus. Some 70 staff work in the companies section of the registry. 

2. Since the end of 2012 companies can be formed electronically, with filings also being made 
electronically. 

3. Routine filings required by company law include changes of director, shareholder, the 
allotment of shares and change of name. 

4. Annual returns and financial statements are also required to be filed. Under section 1 1 8 of the 
company law the annual return should include the following information: 

a. The address of the registered office; 

b. The address where any register of debentures is kept if it is kept other than at the 
registered office; 

c. A summary of the share capital distinguishing between shares issued for cash and 
shares issued as fully or partly paid up otherwise than in cash; 

d. Particulars of the total amount of indebtedness of the company; 

e. A list of the members of the company and persons who have ceased to be members 
since the last return, together with the number of shares held by each member; 

f. Particulars in relation to the directors and any secretary. 

5. Annual returns are not required to be made by a company in its year of incorporation or if it is 
not required to hold an annual general meeting. 

6. When annual returns are checked by the registry it appears to be unusual for the routine 
filings not to have been provided. Where routine filings are discovered as not having been 
made (bearing in mind the only opportunity to make checks in practice is when checking 
annual returns) the company registrar writes to the company. Any stronger enforcement 
action requires an application to the court and, in any case, any fine is imposed by the court. 
Accordingly, there is no incentive for the registrar to take enforcement action. Striking off a 
company requires the approval of the Attorney General. 



73 I P a g e 



ANNEX 8 

List of entities met during the on-site mission 

Central Bank of Cyprus 
MOKAS (FIU) 

Cyprus Securities and Exchange Commission 

Institute of Certified Public Accountants of Cyprus 

Cyprus Bar Association 

Cyprus Popular Bank plc (Laiki Bank) 

Hellenic Bank plc 

Piraeus Bank (Cyprus) Limited 

EFG EuroBank Ergasias S.A. 

FBME Bank Limited 

National Bank of Greece (Cyprus) Limited 

PrivatBank Commercial Bank 

Societe Generale Bank - Cyprus Limited 

Cyprus Development Bank plc 

Russian Commercial Bank (Cyprus) Limited 

Alpha Bank Cyprus Ltd 

Promsvyazbank JS Commercial Bank 

Representatives from the Accountancy and Audit Profession 

Representatives from the Legal Profession 



Strictly Confidential 



ANNEX 9 

Overview of Legal Entities in Cyprus 

1. Three types of company are available under Cypriot company law, namely companies limited 
by shares, companies limited by guarantee (with or without share capital) and public limited 
companies. Limited partnerships and general partnerships can also be formed. The law does 
not provide for the issue of bearer shares. 

2. Companies can be registered with one shareholder. Companies limited by shares owned by 
Cypriots would normally not have nominee shareholders. Conversely, companies limited by 
shares owned by non-Cypriots normally would have nominee shareholders. 

3. It is normal for firms of lawyers, accountants or other company service providers to pro vide 
directors. This is beneficial for tax reasons. There are few corporate directors in light of the 
need for directors to take decisions and hold meetings in Cyprus for tax purposes. There 
appears to be no pattern to the use of corporate directors. 

4. There are fewer than 500 public limited companies. The vast majority of these, an estimated 
98%, are small and medium enterprises, with some 60% being estimated as owned by 
Cypriots. Traditionally, such companies were owned by Cypriot families. It is thought that the 
majority are now being established by non-Cypriots. 

5. There are some 15,000 companies limited by guarantee. Some 99% of these were estimated 
as being owned by Cypriots with the small number of foreign owned companies being 
established by, for example, foreign charities. 

6. Limited partnerships are mostly owned by Cypriots (an estimated 99%) for small businesses. 
It is considered to be a stepping stone to the formation of a company if the business is 
successful. Non-Cypriot owned limited partnerships are mostly established for projects, 
including joint venture structures. Each limited partnership must have a general partner. There 
are some 11,000 general partnerships. They include traders, small family businesses, societies 
and firms of accountants and lawyers. 

7. Branches of companies establishing a place of business in Cyprus must also be registered. 
Some 1,500 to 1,700 branches are registered. Ownership of the branches is diversified. 



75 I P a g e 



Strictly Confidential 

Countries named as having persons owning branches were the US, the UK, Belize and 
France. 



76 I P a g e 



